Millions of US military emails were misdirected to Mali due to a “typo leak” that revealed extremely sensitive information such as diplomatic documents, tax returns, passwords, and top officials’ travel data, reveals ‘Financial Times’.
Despite repeated warnings over a decade, a steady flow of email traffic continues to the ‘.ML’ domain, the country identifier for Mali, as a result of people mistyping ‘.MIL’, the suffix to all US military email addresses.
Johannes Zuurbier, a Dutch internet entrepreneur with a contract to maintain Mali’s country name, spotted the problem about a decade ago, and has been collecting misdirected emails since January to persuade the US to take the matter seriously. Around 117,000 misdirected messages are in his possession and almost 1,000 were sent on Wednesday alone.
In a letter to the US in early July, he wrote, “This risk is real and could be exploited by adversaries of the US.” Moreover, control of the ‘.ML’ domain will revert to Mali’s government, which is close to Russia. Malian authorities will be able to collect the misdirected emails after Zuurbier’s 10-year management contract expires.
Zuurbier, the managing director of Mali Dili, an organzation in Amsterdam, has frequently approached US officials, including a defense attaché in Mali, a top advisor to the US national cyber security service, and even White House officials.
The email flow is spam and none are marked as classified, but the messages have highly sensitive data concerning the service of US military personnel, contractors, and their families.
X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records are all part of their contents.
A retired American admiral who previously led the National Security Agency and the US Army’s Cyber Command, Mike Rogers, stated that “If you have this kind of sustained access, you can generate intelligence even just from unclassified information,” adding that “This is not uncommon… It’s not out of the norm that people make mistakes but the question is the scale, the duration, and the sensitivity of the information.”
For example, one misdirected email included the travel plans for General James McConville, the chief of staff of the United States Army, and his delegation for a May visit to Indonesia. The email included a complete list of room numbers, McConville’s schedule, and information about picking up McConville’s hotel key at the Grand Hyatt Jakarta, where he obtained a VIP upgrade to a grand suite.
According to Lt. Cmdr Tim Gorman, a Pentagon spokesperson, the Pentagon “is aware of this issue and takes all unauthorized disclosures of controlled national security information or controlled unclassified information seriously.” He explained that the emails sent directly from the .mil domain to Malian addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients.”
Many of the emails are from commercial firms that work with the US military. General Dynamics gave the army twenty routine reports on the production of grenade training cartridges.
Some emails include passport numbers sent by the state department’s special issuances bureau, which grants documents to diplomats and others traveling on official business for the United States.
The Dutch army operates under the domain army.nl, which is one keystroke away from army.ml. More than a dozen emails from serving Dutch forces include discussions with Italian counterparts regarding an ammo pickup in Italy and detailed exchanges about Dutch Apache helicopter operators in the United States. Others included conversations about future military procurement possibilities and a protest about the probable vulnerability of a Dutch Apache unit to cyber attack.
Eight emails from the Australian Department of Defense were misdirected to US recipients. An artillery manual “carried by command post officers for each battery” was among those.