Company chose to send breach notice from email-marriott.com, not marriott.com, leading to poor deliverability.
A couple of weeks ago hotel giant Marriott announced a data breach that involves personal data of up to 500 million guests. This type of data breach seems par for the course these days. It’s interesting to see how companies follow up after these breaches; the response can often shed light on overall poor practices that make it clear that a breach was inevitable.
Consider the Equifax breach in which the company’s own social media account tweeted out a link to the wrong domain name with information about the incident.
After the news about Marriott broke, I waited to get an email from Marriott that would notify me of what happened and how to protect myself. It never came…until I checked my spam folder. Gmail had marked two emails from Marriott about the breach as spam.
As Spamhaus notes, this is likely because Marriott sent the emails from email-marriott.com, not marriott.com. email-marriott.com doesn’t have the same domain reputation as marriott.com so email providers don’t give it the same trust level. [Update: It seems that email-marriott.com is often used by the hotel chain, so it likely has a good reputation with email providers.]
Domain name reputation is important when it comes to email deliverability. A domain that’s not well-known and suddenly sends hundreds of millions of emails is suspicious.
Email-marriott.com is also suspicious to humans; many phishing domains have a format similar to this. Add to this the propensity of people to misspell Marriott (is it two r’s or two t’s — oh, it’s both) and you have a mess on your hands. Thankfully, some security experts registered the typos.
Jovenet Consulting says
They operate their own .MARRIOTT new gTLD and could have done much better than this sending personalized emails.
I noticed that many big brands don’t even know that they have their own Top-Level domain. I have friends working for AMEX and MMA and…they didn’t know 🙂
James Kite says
That the problem with .BRAND, those that have them don’t really have a plan for them.
They need to be using them yesterday to stand out from the crowd., but instead they wait for someone else to lead the way.
Matthew says
Maybe having everything his spam folders was part of the plan.
anthonychiulli250ok says
While I agree in principle, email-marriott was their established email sending domain used through Epsilon and had high domain rep. I received the breach notification to my Gmail inbox and can confirm Epsilon deliverability leadership were able to give advance notification to major mailbox providers of the email being sent and context why. ‘Email-marriott’ is not the most easily recognizable and trustworthy domain, but this is the domain the Marriott has used for a long time as their primary email domain and should have been no surprise to active loyal subscribers.
Andrew Allemann says
Thanks for the info, Anthony.
John says
There was also a memo in the church bulletin approved by leadership in Salt Lake City.
Joseph Smith says
There was also a memo in the church bulletin worldwide, approved by leadership in Salt Lake City.
Darren Palmer says
I agree with the author.
The format of the email domain mimics that used by fraudsters and is therefore bad form.
I don’t have time to check every website notification address and therefore use common sense policy… If it looks like a scam domain – it probably is.