Millions of US military emails were sent to Mali due to a “typo leak” that revealed highly confidential information such as diplomatic documents, tax returns, passwords, and top officials’ travel plans, the Financial Times (FT) reported.
Despite repeated warnings, a constant flow of email traffic to the .ML domain, Mali’s national identifier, persists due to individuals mistyping .MIL — the suffix for all military email addresses in the US. The Pentagon stated that it had taken steps to fix the issue.
Overview
According to FT, the problem was first identified more than ten years ago by Dutch internet entrepreneur Johannes Zuurbier, who has an agreement to manage Mali’s country domain.
Since January, Zuurbier has been collecting misdirected emails to urge the US to take the issue seriously. He has around 117,000 misdirected messages, about 1,000 of which arrived on Wednesday alone.
None of the documents were identified as confidential, but they contained medical data, maps of US military bases, financial information, and planning documents for official visits, as well as some diplomatic letters, according to the newspaper.
Zuurbier raised the concern in a letter to US officials earlier this month. He stated that his contract with the Mali government was about to expire, implying that “the risk is real and could be exploited by US adversaries.”
On Monday, control of the .ML domain will be transferred from Zuurbier to Mali’s government, which is close to Russia. Malian authorities can collect the misdirected emails after Zuurbier’s 10-year management contract expires.
Mike Rogers, a retired American admiral who previously led the National Security Agency and the US Army’s Cyber Command, stated, “If you have this kind of sustained access, you can generate intelligence even just from unclassified information.”
“This is not uncommon [...] It’s not out of the norm that people make mistakes but the question is the scale, the duration and the sensitivity of the information.”
Millions of emails intended for Pentagon employees were inadvertently sent to email accounts in Mali over the last decade because of typos caused by the similarity of the US military’s email address and the domain for the West African country. https://t.co/dLREGUjYOb
— CNN International (@cnni) July 17, 2023
Misdirected Emails
The misdirected emails contain information regarding X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records, as reported by FT.
This year, one misdirected email included the travel arrangements for General James McConville, the chief of staff of the US Army, and his delegation for a May visit to Indonesia. The email included a complete list of room numbers, McConville’s schedule, and information about collecting McConville’s hotel key at the Grand Hyatt Jakarta, where he received a VIP upgrade to a grand suite.
The data flow reveals certain systematic leakage sources. Military travel agencies frequently misspell emails. Staff exchanging emails between their accounts is also a concern.
One FBI agent with a naval role sought to transmit six messages to their military email — and inadvertently sent them to Mali. One of them was an urgent diplomatic communication from Turkey to the US State Department concerning probable actions by the terrorist Kurdistan Workers’ Party (PKK) against Turkish interests in the US.
US Response
According to Lt. Cmdr Tim Gorman, a Pentagon spokesperson, the Pentagon “is aware of this issue and takes all unauthorised disclosures of controlled national security information or controlled unclassified information seriously.”
Additionally, Gorman stated that emails sent directly from the .MIL domain to Malian addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients.”
Gorman told FT, “While it is impossible to implement technical controls preventing the use of personal email accounts for government business, the department continues to provide direction and training to DoD personnel.”
According to current and former US officials, “classified” and “top secret” US military communications are transmitted through separate IT networks, making them unlikely to be accidentally compromised.