Millions of US Military Emails Leaked to Mali Due to Typing Error
For nearly a decade, millions of US military emails have been mistakenly sent to Mali, a Russian ally, due to a minor typing error. Emails intended for the US military’s “.mil” domain were sent to the West African country, which uses the “.ml” suffix. Some of the emails contained sensitive information, such as passwords, medical records, and itineraries of top officers. Although none of the emails were marked as classified, they included medical data, maps of US military facilities, financial records, planning documents for official trips, and some diplomatic messages.
The misdirected emails have grown less frequent in recent years but still arrive by the hundreds per day. Many of the emails are spam, but some are sensitive, such as one containing hotel room numbers for the Army Chief of Staff, Gen. James McConville, and his entourage on a trip to Indonesia. The Department of Defense (DoD) is aware of the issue and takes all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously.
The Pentagon has no control over whether third parties incorrectly type defense personnel’s email addresses. The department strongly discourages using personal email accounts for official business. Data Loss Prevention (DLP) technology can help address potential causes of data leaks and loss, including cyberattacks, malicious insiders, security negligence, and human error. Email DLP solutions work by inspecting all messages and attachments to look for content that may represent a potential data leak.
Dutch entrepreneur Johannes Zuurbier has been collecting the misdirected emails since January and has collected over 117,000 so far. He wrote a letter to US officials this month to raise the alarm, stating that his contract with the Mali government was due to finish soon, meaning “the risk is real and could be exploited by adversaries of the US”. Mali’s military government was due to take control of the domain on Monday.
In response to the issue, the Pentagon has implemented policy and training mechanisms. While the Pentagon bounces emails sent to the Mali “.ML” address, contact made via personal accounts does not offer the same protection. The department discourages individuals from using personal emails or credentials for official work.
