Typo redirects millions of Pentagon emails to Mali

WASHINGTON – The Pentagon is again suffering the fallout from another massive information leak – but instead of a rogue Air National Guardsman posting documents on a Discord server, this time the culprit is a missing letter “i.”

Millions of emails meant for Defense Department “.mil” addresses have instead ended up in Malian government “.ml” domain name inboxes.

“The Department of Defense is aware of this issue and takes all unauthorized disclosures of controlled national security information or controlled unclassified information seriously,” the Pentagon said in a statement Monday.

The messages range from the mundane to the highly sensitive and include tax returns, password retrievals, diplomatic documents and official travel arrangements for top officers, according to the Financial Times, which first reported on the breach.

The typos were first noticed nearly 10 years ago by Dutch internet entrepreneur Johannes Zuurbier, who has a contract to manage the African nation’s domain.

The risk to national security increased exponentially Monday when Zuubier’s contract expired and the domain reverted back to the Malian government — which is closely allied with Russia.

Zuurbier told the FT he has repeatedly reached out to warn the Pentagon of the issue over the years, most recently in a letter early this month that said the “risk is real and could be exploited by adversaries.”

The Dutchman in January began collecting all emails misdirected to the Malian domain, which tallied nearly 117,000 by the time Zuurbier’s contract expired, according to the report.

While many were spam and none were marked classified, some emails included sensitive personnel and contractor information — in the form of crew lists on ships, personal medical information, reports on internal investigations and maps of military bases.

It’s the kind of stuff that may seem harmless by itself, but can be used in the aggregate to gain intelligence on the US military, cybersecurity experts say.

Other emails – such as one this year that laid out Army Chief of Staff Gen. James McConville’s detailed travel plans for a May visit to Indonesia – could present more immediate threats.

For its part, the Pentagon has blocked official emails sent from its .mil domain accounts from reaching Mali’s .ml addresses, requiring each sender to validate the intended recipient’s email address.

“DoD has implemented policy, training, and technical controls to ensure that emails from the “.mil” domain are not delivered to incorrect domains,” the Pentagon said in its statement.

But the department also acknowledged there’s little it can do to prevent messages sent from other domains – such as Gmail or Yahoo – from reaching unintended addresses.

“While it is not possible to implement technical controls preventing the use of personal email accounts for government business, the Department continues to provide direction and training to DoD personnel,” the Pentagon said in its statement.

Some common themes among the messages suggest how the typos are most likely to occur.

A substantial amount of the emails appear to come from military personnel forwarding information from their private email to their professional accounts, despite the Pentagon’s ongoing efforts to discourage personnel from using personal accounts for government business, the FT reported.

Others come from the fat fingers of travel agents working for the Defense Department who routinely misspell email addresses, according to the outlet.

The US is apparently not the only country with a problem of emails landing in African inboxes.

Zuurbier’s sorting system reportedly has also discovered messages intended for the Dutch military’s “.nl” domain, though the tally of those emails is under two dozen.