Marriott's incident page [1] links to a Q&A page [2]. Apparently the forthcoming sorry-we-lost-your-data notifications will come from "starwoodhotels@email-marriott.com".
"Let's immediately set up a separate domain name that looks like ours" remains one of the weirdest antipatterns in incident response.
Is this to purposefully increase likelihood of getting caught in a spam/phishing filter? So they claim they've reached out while also (probably correctly) claiming it's not their fault if customers didn't get it.
Interesting theory. My theory was that there's incident management contractors get this sort of business and don't want to bother integrating with any existing company's infrastructure, so they just set up something entirely different.
Probably not so much "don't want to bother" as "can't do it in a timely manner because of the company's internal processes"
Once of the companies I work for has all kinds of crazy domains because the IT department and the Communications Department don't get along the way they should.
Close to my theory! Basically, they need to send out millions of email fast. This email, with a bunch of legal text will probably have a high 'mark as spam' rate. This will destroy the domain's marketing ability. SO! The marketing guy won the argument in the meeting: don't use the root domain.
I think the stated reason is usually "a single place users can go to directly", the least nefarious reason is that they don't want to associate the breach with their main site, so only affected or inquisitive customers will know about it.
Anti-pattern does seem like a strong enough word sometimes. These domains are available:
emai1-marriott.com
email-marriot.com
e-mail-marriott.com
I wonder whether it might be better if governments took over the notification side of things. Something like "notice@databreach.gov". Companies could pick from a few standard templates and get charged $1.00 per email.