Due to a minor typing error, millions of emails intended for the US military’s “.mil” domain have been mistakenly sent to Mali, a Russian ally, which uses the “.ml” suffix.
This issue has been ongoing for years, and it has been reported that some of the misdirected emails contained sensitive information such as passwords, medical records, and the itineraries of high-ranking officers.
The Pentagon has acknowledged the problem and has taken measures to address it. The Financial Times, which initially broke the story, stated that Dutch internet entrepreneur Johannes Zuurbier discovered the issue over a decade ago.
Since 2013, Zuurbier has been responsible for managing Mali’s country domain and has reportedly collected tens of thousands of misrouted emails in recent months.
Although none of the emails were labeled as classified, they reportedly included various sensitive materials such as medical data, maps of US military installations, financial records, official trip plans, and some diplomatic communications.
Zuurbier recently sent a letter to US officials to raise awareness of the situation. He highlighted that his contract with the Mali government is nearing its end, emphasizing the real risk and potential exploitation by adversaries of the United States.
The domain control was scheduled to be transferred to Mali’s military government on Monday. Requests for comment have been made to Mr. Zuurbier regarding the matter.
US military communications that are marked “classified” and “top secret” are transmitted through separate IT systems that make it unlikely they will be accidently compromised, according to current and former US officials.
But Steven Stransky, a lawyer who previously served as senior counsel to the Department of Homeland Security’s Intelligence Law Division, said that even seemingly harmless information could prove useful to US adversaries, particularly if it included details of individual personnel.
“Those sorts of communications would mean that a foreign actor can start building dossiers on our own military personnel, for espionage purposes, or could try to get them to disclose information in exchange for financial benefit,” Mr Stransky said. “It’s certainly information that a foreign government can use.”
Lee McKnight, a professor of information studies at Syracuse University, said he believed the US military was fortunate that the issue was brought to its attention and the emails were going to a domain used by Mali’s government, rather than to cyber criminals.
He added that “typo-squatting” – a type of cyber-crime that targets users who incorrectly misspell an internet domain – is common. “They’re hoping that a person will make a mistake, and that they can lure you in and do stupid things,” he said.
When contacted by the BBC, a spokesperson said the defence department was aware of the issue and it was being taken seriously.
They said the department had taken steps to ensure that “.mil” emails are not sent to incorrect domains, including blocking them before they leave and notifying senders that they must validate intended recipients.
Both Mr McKnight and Mr Stransky said human errors were prime concerns for IT specialists working in government and the private sector alike.
“Human error is by far the most significant security concern on a day-to-day basis,” Mr Stransky said. “We just can’t control every single human, every single time”.