A simple typo reportedly directed millions of emails with sensitive information to the African country Mali rather than their intended U.S. military recipients.
For years, a misspelling of “.MIL” in the suffix of military email addresses as “.ML” — the country domain for Mali — unintentionally led to a “typo leak,” according to The Financial Times, which first reported the story. As a result, everything from diplomatic documents, tax returns, passwords and travel details of top officers has been exposed, the outlet noted.
None of the emails are said to be classified.
Department of Defense spokesperson Lt. Cmdr. Tim Gorman told Military Times via email the department “is aware” of the issue and “takes all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously.”
A Dutch entrepreneur contracted to manage Mali’s domain, Johannes Zuurbier, identified the leak, Financial Times said.
“This risk is real and could be exploited by adversaries of the US,” he wrote to the outlet.
Authority over the .ML domain, Financial Times reported, is set to soon revert from Zuurbier to Mali’s government, which of late has grown its relationship with Russia. The West African nation may now have additional means to cozy up to the long-time U.S. competitor.
Russia and other world powers prod U.S. networks to gain an unvarnished look at weapons and modernization projects, troop movements and other potentially jeopardizing secrets.
The Defense Department has since 2015 experienced more than 12,000 cyber incidents, with yearly totals declining as of 2017, according to the Government Accountability Office, a federal watchdog.
Among the reported contents of the erroneously addressed emails were: X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings as well as tax and financial records.
One misdirected email included travel plans for Army Chief of Staff Gen. James McConville and his delegation for a then-upcoming visit to Indonesia in May, Financial Times reported.
The Pentagon is already dealing with the fallout of a military documents breach. Massachusetts Air National Guard member Jack Teixeira is accused of accessing, keeping and sharing classified national defense information, including insights concerning the Russia-Ukraine war. He pleaded not guilty to charges in June.
“As you’ve seen from when we had our first unauthorized disclosure from earlier this year we’ve implemented policy and training mechanisms,” Deputy Pentagon Press Secretary Sabrina Singh said during a July 17 briefing. While the Pentagon bounces emails sent to the Mali “.ML” address, contact made via personal accounts do not offer the same protection, she added.
“None of the leaked emails that were reported came from a DoD email address,” Singh said, adding that the department discourages individuals from using personal emails or credentials for official work.
The American military is not the only one to fall victim to the spelling blunder, Financial Times reported. Emails meant for the Dutch military, which uses “army.nl,” were also unintentionally sent to Mali thanks to a mistaken “army.ml” in the email domain.
Embassies in Washington for Mali and the Netherlands did not immediately respond to a request for comment made by Military Times.
Jonathan is a staff writer and editor of the Early Bird Brief newsletter for Military Times. Follow him on Twitter @lehrfeld_media
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.