Sensitive US military emails reach Russian ally due to 'typo leak'

Millions of US military emails were mistakenly sent to Mali; the leak has exposed highly sensitive information, including diplomatic documents, tax returns, travel details of top officers

Millions of US military emails were mistakenly sent to Mali, an African nation that is a Russian ally, through a "typo leak".

The leak has exposed highly sensitive information, including diplomatic documents, tax returns, passwords, and the travel details of top officers.

Johannes Zuurbier, a Dutch internet entrepreneur, identified the problem a decade ago. The problem is that people mistype .MIL, the suffix to all US military email addresses, as .ML domain, the country identifier for Mali.

Zuurbier has been managing the Malian domain since 2013 and has collected close to 117,000 misdirected messages.

Zuurbier informed US officials this month that his contract with the Malian government will expire soon, which means that these emails could be exploited after his departure. 

 

The Malian military government will take control of the domain on July 24.

Much of the email flow is spam, but some emails contain highly sensitive data on serving US military personnel, contractors, and their families. The contents include X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records.

One misdirected email this year included the travel plans for General James McConville, the chief of staff of the US Army, and his delegation for a then-forthcoming visit to Indonesia in May.

Lt Cmdr Tim Gorman, a spokesman for the Pentagon, said the Department of Defense "is aware of this issue and takes all unauthorised disclosures of controlled national security information or controlled unclassified information seriously".

Zuurbier says that he made repeated attempts to alert the US authorities after realising what was happening and taking legal advice.

Data shows systematic sources of leakage. Travel agents working for the military routinely misspell emails. Staff sending emails between their own accounts are also a problem. Many emails are from private contractors working with the US military. 

Some emails contain passport numbers sent by the state department's special issuances agency, while others included information on future military procurement options and a complaint about a Dutch Apache unit's potential vulnerability to cyber attack.

Eight emails from the Australian department of defence, intended for the US recipients, went astray. Those included a presentation about corrosion problems affecting Australian F-35s and an artillery manual "carried by command post officers for each battery".