A simple typo has caused millions of U.S. military emails to be misdirected to Mali over the last decade, the Financial Times (FT) reported on Monday.
The emails can sometimes include highly sensitive data such as diplomatic documents, tax returns, passwords, and travel information linked to leading military officers, the report said.
The error occurs when senders accidentally type the wrong email address, inputting the .ml domain — for Mali — instead of .mil, the one used for U.S. military addresses.
The FT said the issue was flagged up 10 years ago by Johannes Zuurbier, a Dutch internet entrepreneur who has a contract to manage Mali’s country domain.
Despite sending repeated warnings to the U.S. authorities, the emails keep on coming.
The issue is all the more pressing as Zuurbier’s contract with the Mali government, which has close links to Russia, is about to end, meaning local officials will soon be able to view the content of the emails.
Zuurbier, who said that almost 1,000 misdirected emails arrived on one day alone last week, claims that he’s tried to reach out to U.S. officials on multiple occasions, including in a letter sent earlier this month in which he warned that the “risk is real and could be exploited by adversaries of the U.S.”
The FT notes that while a lot of the messages are spam, some contain confidential information on serving U.S. military personnel, contractors, and their families, including “X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records.”
One of the misdirected emails even contained information linked to General James McConville, the chief of staff of the US army, ahead of a trip to Indonesia in May. The email contained McConville’s itinerary, various room numbers, and even instructions on the collection of his room key. in another incident, an FBI agent with naval-linked responsibilities tried to forward six messages to their military email account but mistakenly sent them to Mali instead.
Responding to the situation, Pentagon spokesperson Lt. Commander Tim Gorman said the Department of Defense “is aware of this issue and takes all unauthorized disclosures of controlled national security information or controlled unclassified information seriously.”
He added that emails that are sent directly from the .mil domain to Malian email addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients,” suggesting that the misdirected messages may be going out from personal accounts or work accounts not directly linked to the military.
Retired American admiral Mike Rogers warned that ongoing access to such emails “can generate intelligence even just from unclassified information,” adding: “It’s not out of the norm that people make mistakes but the question is the scale, the duration and the sensitivity of the information.”