Millions of military emails have been accidentally sent to Mali
Millions of military emails have been accidentally sent to Mali due to a ‘typing error’, revealing highly sensitive information – despite repeated warnings over the past decade.
Instead of typing in .MIL, the suffix of all US military email addresses, people typed in .ML, the country identifier for Mali. This resulted in a steady stream of sensitive email traffic being sent to Mali Financial times reports.
A misdirected email contained travel plans for General James McConville, the Army Chief of Staff.
It contained a full list of room numbers for him and 20 others, the general’s itinerary, and details on how to collect his key at the Grand Hyatt in Jakarta for an upcoming trip to Indonesia in May.
About ten years ago, a Dutch internet entrepreneur, Johannes Zuurbier, first discovered this problem.
A misdirected email contained travel plans for Army Chief of Staff Gen. James McConville (pictured)
Zuurbier, who has a contract to manage Mali’s land domain, has also reportedly collected misdirected emails — nearly 117,000 — since January to show the government the seriousness of the problem.
He sent a letter to the government earlier this month saying, “This risk is real and could be exploited by opponents of the US.”
The government of Mali – which has close ties to Russia – will today take control of the .ML domain and with it the misdirected emails after Zuurbier’s 10-year management contract expired.
Zuurbier said he approached several government officials, such as a defense attaché in Mali, a senior adviser to the US National Cyber Security Agency and some White House officials.
He took control of the Mali domain in 2013 and soon noticed a lot of requests coming in for domains like army.ml and navy.ml, which he suspected were emails.
The system he set up to receive such correspondence soon became overwhelmed and stopped collecting messages.
Zuurbier said he took legal advice and repeatedly tried to warn the government – to no avail.
Of the nearly 120,000 emails Zuurbier has collected over the past few months, none have been marked as classified and most are simply spam.
However, some of the misdirected emails contain highly sensitive data about military personnel such as General McConville.
The sensitive information shared in these emails includes x-rays and other medical records, information from identity documents, military craft crew lists and military base personnel lists, tax and financial records, photographs of bases, inspection reports, installation plans, criminal complaints against staff and internal bullying investigations.
Crucially, they also contain official itineraries and bookings, potentially putting officials traveling abroad at risk if the information falls into the wrong hands.
Mike Rogers, a retired US admiral who was in charge of the US Army’s National Security Agency and Cyber Command, told the Financial Times: “If you have this kind of permanent access, you can generate intelligence even from non- -classified information.’
While he added that it’s not unusual for people to accidentally send an email to the wrong address, the question was “the scale, duration and sensitivity of the information.”
He warned that the imminent transfer of control of the domain to Mali is a major problem because it is a foreign government that “sees it as an advantage they can use.”
Lieutenant Commander Tim Gorman, who is a spokesman for the Pentagon, told the Financial Times that the Defense Department was aware of the matter and was taking it seriously.
He added that emails from those with a .MIL domain sending an email to someone with a .ML suffix would be “blocked before they leave the .mil domain,” after which the sender would would be notified that they have the email address of the internal recipient.
Common nominators in the emails include military travel agents misspelling email addresses and staff members sending emails between their own accounts.
Another high-profile leak contained correspondence from an FBI agent with a naval position, who attempted to forward six messages to their military email, but instead sent them to Mali.
These include an urgent diplomatic letter from the Turkish embassy to the Foreign Ministry regarding possible operations by the militant Kurdistan Workers’ Party (PKK) against Turkish interests in the US, as well as a briefing on domestic terrorism and a global counter-terrorism review.
Another dozen people requested recovery passwords for an intelligence community system to send to an .ML address instead of their military address with .MIL, while others sent passwords for the Department of Defense’s secure file exchange.
The US military is not alone in being affected by the emails sent in error, as Dutch military personnel – which have the .NL domain – instead sent emails to .ML.
Emails sent by the Australian Department of Defense also went astray when they were sent to the .ML domain instead of the US military .MIL domain.