Millions of military emails were accidentally directed to Mali due to a ‘typo’, exposing highly sensitive information – despite repeated warnings over the past decade.
Instead of typing .MIL, the suffix for all US military email addresses, people type .ML, which is the country identifier for Mali. This led to a steady stream of sensitive email traffic being sent to Mali, the Financial Times reported.
A misdirected email included travel plans for Army Chief of Staff Gen. James McConville.
It included a complete list of room numbers for him and 20 others, the general’s itinerary as well as details on how to collect his keys from the Grand Hyatt in Jakarta for his then-upcoming trip to Indonesia in May.
About ten years ago, a Dutch internet entrepreneur named Johannes Zurbier first identified this problem.
A misdirected email included Army Chief of Staff General James McConville’s (pictured) travel plans
Dzourbier, who holds a contract to manage Mali’s country domains, has reportedly been collecting misdirected emails — about 117,00 of them — since January to show the government the seriousness of the problem.
He sent a letter to the government earlier this month saying: ‘This risk is real and US adversaries can exploit it.’
Mali’s government – which has close ties to Russia – gained control of the .ML domain and hence the misdirected emails today after Zourbier’s ten-year management contract expired.
Zurbier said he has contacted a number of government officials, including a defense attaché in Mali, a senior adviser at the US National Cyber Security Service, as well as some White House officials.
He took control of the Mali domain in 2013 and quickly noticed that many requests were coming in for domains like army.ml and navy.ml, which he suspected were for email.
The system he set up to catch any such correspondence soon became overwhelmed and stopped collecting messages.
Zourbier says he has obtained legal advice and repeatedly tried to warn the government — to no avail.
Of the nearly 120,000 emails collected by Jurbia over the past few months, none were marked as classified and most of them were simply spam mail.
However, some of the misdirected emails contained highly sensitive information about military personnel such as General McConville.
Sensitive information shared in these emails includes X-rays and other medical data, information from identity documents, crew lists of military ships as well as personnel lists for military bases, tax and financial records, photos of bases, inspection reports, maps of installations. , criminal charges against employees as well as internal investigations into bullying.
The misdirected email to General McConville included a complete list of room numbers for him and 20 others, the general’s itinerary as well as details on how to collect his keys to the Grand Hyatt in Jakarta for his then-upcoming trip to Indonesia in May (this is what it might look like). a mockup)
Importantly, they also include official travel itineraries and bookings, potentially putting officials traveling abroad at risk if the information falls into the wrong hands.
Mike Rogers, a retired American admiral who ran the National Security Agency and the US Army’s Cyber Command, told the Financial Times: ‘If you have that kind of sustained access, you can generate intelligence even from unclassified information.’
Although he added that it was not uncommon for people to mistakenly send an email to the wrong address, the question was one of ‘scale, duration and sensitivity of the information’.
He warned that the imminent transfer of control over the domain to Mali poses a significant problem, as it is a foreign government that ‘sees this as an advantage that they can use’.
Lt. Commander Tim Gorman, who is a Pentagon spokesman, told the Financial Times that the Defense Department is aware of the matter and is taking it seriously.
He added that emails from those with a .MIL domain to someone with a .ML suffix will be blocked ‘before they leave the .mil domain’, after which the sender will be notified that their email address must be verified by internal recipients.
Common nominees in emails include travel agents working for military misspelled email addresses and staff members sending emails between their own accounts.
Another high-profile leak included correspondence from an FBI agent in a naval role, who tried to forward six messages to their military email but sent them to Mali instead.
This includes an urgent diplomatic letter from the Turkish Embassy to the State Department about possible operations by the militant Kurdistan Workers’ Party (PKK) against Turkish interests in the United States, as well as a briefing on domestic terrorism and global counterterrorism assessments.
A dozen others requested recovery passwords for an Intelligence Community system to be sent to a .ML address instead of their military address with .MIL, while others sent passwords for the Department of Defense’s Secure Access File Exchange.
The US military isn’t the only one affected by misdirected emails, as Dutch army personnel – who have .NL domains – sent emails in .ML instead.
Emails sent by the Australian Department of Defense were also misdirected when they were sent to the .ML domain instead of the US military .MIL domain.
Read Full News Here