A significant typo has caused a major data breach, leading to millions of US military emails, including highly classified information, being sent to Mali. The error occurred when the email address domain .ML was used instead of .MIL. Consequently, sensitive data such as diplomatic documents, tax returns, passwords, and travel details of high-ranking officials have been exposed. Initially, these misdirected emails have ended up with a contractor responsible for managing Mali’s country domain. However, control of the .ML domain will soon be transferred to Mali’s government, which has connections to Russia.
Dutch contractor Johannes Zuurbier, who oversees Mali’s country domain, discovered the “typo leak”. As early as 2014, Zuurbier attempted to alert the United States about the issue, emphasizing the urgency of the matter. Sadly, his warnings went unnoticed, prompting him to start collecting the misdirected emails this year. This move is intended to prompt the US to address the issue properly before the domain transfer to the Malian government. Zuurbier reported having amassed around 117,000 emails, with nearly 1,000 additional emails received in a single day last week.
While none of the messages have been marked as classified, they still contain sensitive information about US military personnel, contractors, and their families. The leaked content includes travel plans, such as the May trip of US Army Chief of Staff General James McConville to Indonesia. Additionally, exposed data includes maps of military installations, photographs of bases, identity documents with passport numbers, crew lists, tax and financial records, medical information, naval inspection reports, and contractual agreements. Shockingly, the leaked emails also feature criminal complaints against personnel, internal investigations into bullying, and even a Turkish diplomatic letter sent to the US warning about potential operations by the Kurdistan Workers’ Party (PKK).
Former National Security Agency (NSA) head and retired US Navy Admiral Mike Rogers explained that even unclassified information can be utilized to generate intelligence if a sustained access to such data is obtained. While acknowledging that mistakes are bound to occur, Rogers underscored the importance of considering the scale, duration, and sensitivity of the compromised information.
Lieutenant Commander Tim Gorman, representing the Pentagon, assured that the Department of Defense is fully aware of the issue and takes any unauthorized disclosure of controlled national security or unclassified information seriously. Gorman revealed that emails sent from .MIL domains to .ML addresses are blocked before leaving the .mil domain. In addition, the sender is notified that they must verify the email addresses of the intended recipients. This suggests that the misdirected emails may have originated from personal accounts of US military personnel.
The ramifications of this data breach are significant. The exposed information could potentially be exploited by malicious actors seeking to compromise US national security. It also raises concerns about the effectiveness of cybersecurity measures within the US military, as a simple typo has resulted in such a substantial breach. This incident serves as a reminder of the critical need for robust cybersecurity protocols and improved training to prevent similar mishaps and protect highly sensitive information.
Addressing this issue promptly is of utmost importance. The US government must work closely with the contractor managing Mali’s country domain to rectify the situation and prevent any further unauthorized access. Furthermore, reviewing and enhancing cybersecurity measures within the military to mitigate the risk of similar incidents is crucial. The potential consequences of a breach of this magnitude extend far beyond individual privacy concerns and can impact national security and international relations.