According to a new report, the United States military has been sending millions of emails to a West African country in what is being called a “typo leak.”
The mistake has resulted in highly sensitive information being exposed, including diplomatic documents, passwords, travel details of top officers, and tax returns, according to the report from the Financial Times.
The typo in question has to do with the suffix for all US military email addresses, .MIL. While military personnel may be intending to send an email to another member of the armed forces, they mistakenly continue to send their messages to the .ML domain, the country identifier for Mali.
Other information that was potentially leaked includes highly-sensitive data about serving US military personnel, like medical information, crew lists for ships, photos of bases, naval inspection reports, maps of installations, and contracts.
While the information being leaked is serious, it’s compounded by the fact that the US military has been aware of the typo leak for almost a decade, the Times reported.
The first person to identify the issue was Dutch internet entrepreneur Johannes Zuurbier, who has a contract to manage the Mali domain. Zuurbier has made efforts to notify the US of the problem, but after not seeing any action taken to stop the leak, he started to collect the misdirected emails.
According to the Times, Zuurbier has been collecting emails for six months in an attempt to show the US the issue was serious. Over that time period, he has collected nearly 117,000 emails.
Zuurbier wrote a letter to the US earlier this month, bringing attention to the issue once again, the Times reported.
“This risk is real and could be exploited by adversaries of the US,” he wrote.
Now, retired military officials, like the former admiral of the National Security Agency and the US Army’s Cyber Command, Mike Rogers, are pointing to the risk of letting the information leak.
“If you have this kind of sustained access, you can generate intelligence even just from unclassified information,” Rogers told the Times. “This is not uncommon. It’s not out of the norm that people make mistakes, but the question is the scale, the duration, and the sensitivity of the information.”
Rogers says that Zuurbier having the information in his possession is one thing, but a foreign government is another issue.
The concern is also growing as the internet entrepreneur is coming to the end of his 10-year management contract with Mali’s government, which is closely allied with Russia.
Once his contract is expired, Malian authorities will be able to gather the misdirected emails and do with them what they please.
Pentagon spokesman Lt. Cmdr Tim Gorman said the Defence Department is “aware of this issue and takes all unauthorized disclosures of controlled national security information or controlled unclassified information seriously.”
He also said that emails sent directly to a .MIL domain to Malian addresses are “blocked before they leave the .mil domain, and the sender is notified that they must validate the email addresses of the intended recipients.”
* Article From: Audacy