‘This risk is real and could be exploited by adversaries of the US,’ warned the Dutch whistleblower who discovered them.
A typo has reportedly routed millions of US military emails — some containing highly sensitive information — to Mali. The problem stems from entering .ML instead of .MIL for the receiving email address domain. As reported by the Financial Times, the one-letter mistake has exposed data like “diplomatic documents, tax returns, passwords and the travel details of top officers” — and much more. Although the misdirected emails have (so far) landed with a contractor tasked with managing Mali’s country domain, control of .ML will soon revert to Mali’s government, which has ties to Russia.
The “typo leak” was exposed by Johannes Zuurbier, a Dutch contractor managing Mali’s country domain. Zuurbier says he made numerous attempts to warn the United States about the issue — beginning in 2014 — urging it to take it seriously; he says he hasn’t had any luck. He claims he started collecting the email this year as his contract’s expiration date (and handover of the domain, including the misfired emails, to the Malian government) approaches, as a last-ditch attempt to persuade the US to act with urgency. In a letter to the US in early July, Zuurbier wrote, “This risk is real and could be exploited by adversaries of the US.” He says he has collected around 117,00 emails, and nearly 1,000 more arrived last Wednesday alone.
Although Zuurbier says none of the messages were marked as classified, they still contain sensitive data about US military personnel, contractors and families. Reported contents include the travel plans for a May trip by US Army Chief of Staff, General James McConville, for a May trip to Indonesia. Other exposed information includes maps of installations, photos of bases, identity documents (including passport numbers), crew lists of ships, tax and financial records, medical data, ships’ crew lists, naval inspection reports, contracts, criminal complaints against personnel, internal bullying investigations and bookings. One email from an FBI agent included a Turkish diplomatic letter to the US, warning about possible operations by the Kurdistan Workers’ Party (PKK).
“If you have this kind of sustained access, you can generate intelligence even just from unclassified information,” former NSA head and retired four-star US Navy Admiral Mike Rogers told FT. Rogers says this isn’t uncommon, noting that people making mistakes isn’t out of the norm. However, he adds, “The question is the scale, the duration and the sensitivity of the information.”
Lt. Cmdr Tim Gorman, speaking for the Pentagon, told FT that the Department of Defense “is aware of this issue and takes all unauthorised disclosures of controlled national security information or controlled unclassified information seriously.” He said emails sent from .MIL to .ML address “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients,” which suggests the misdirected emails may have come from US military workers’ personal accounts.