A simple typo in email addresses has led to a decade-long security breach for the U.S. military, with millions of emails intended for the military falling into the hands of Mali, a pro-Russia state in West Africa. Turns out that when people forget the “i” in the middle of sending an email to a .mil address, it can actually go to the country of Mali. Dutch entrepreneur Johannes Zuurbier has managed Mali’s .ML domain for the past 10 years. Now that his contract has expired and the problem persists, he’s raising the red flag publicly this time.
The Financial Times reported that many of the misdirected emails originated from internal sources, including travel agents, private contractors, and staff who regularly misspelled the .MIL domain in official communications. While most of the messages received by Zuurbier were spam and non-classified, some contained sensitive information such as medical data, passport details, crew lists, photos of bases, internal investigations, and travel plans.
According to the FT, the breach also involved emails marked with disclaimers such as “For Official Use Only” or “Not Releasable to the Public or Foreign Governments.” One notable incident mentioned in the report involved an FBI agent who accidentally sent six messages, including a letter from a Turkish diplomat about possible militant activity and briefings on domestic terrorism, to Mali instead of their military email address.
The Pentagon spokesperson, Lt. Cmdr Tim Gorman, acknowledged the issue and stated that the DoD takes all unauthorized disclosures of controlled national security information seriously. While technical controls are in place to prevent emails from the “.mil” domain from being delivered to incorrect domains, the use of personal email accounts for government business poses a challenge. The DoD continues to provide direction and training to personnel to address this concern.
Zuurbier told the FT that he has been collecting mistakenly sent emails to Mali since the beginning of the year, amassing over 110,000 messages. He has made multiple attempts to engage authorities and raise awareness of the risk posed by the typo leak. Zuurbier highlighted the potential exploitation of this security vulnerability by adversaries of the United States.
The breach comes at a time when Mali’s relations with the West, including the U.S., have deteriorated due to armed rebellion, extremist activity, and military dictatorship in the country. Mali has been strengthening its ties to Russia, with the Kremlin providing assistance in combating Islamist extremist insurgencies. The increased Russian influence in Mali has raised concerns among Western nations, including the U.S., and the United Nations has suggested that it may have led to possible war crimes. However, following the recent failed rebellion by the mercenary Wagner Group in Russia, the future of Russia’s military assistance in Mali remains uncertain.
This typo leak serves as a stark reminder of the potential risks that simple human errors can pose to national security. It underscores the need for robust cybersecurity measures, rigorous training, and awareness among personnel handling sensitive information.
