Posted July 17, 2023 at 5:06 p.m. ET
In this March 2022 photo, the Pentagon is seen from Air Force One as it flies over Washington, DC. (Patrick Semanski/AP)
Millions of emails intended for Pentagon employees were inadvertently sent to email accounts in Mali over the past decade due to typos caused by the similarity of the email address of the US military and domain of this West African country, according to a Dutch technologist who discovered the problem. .
In some cases, sensitive information, such as hotel reservations for senior U.S. military officials, was revealed.
The emails were intended for owners of “.MIL” email accounts – the internet domain owned by the US military – but due to typos they were sent to the .ML domain, which manages the email accounts in Mali, a West African country.
The email incident reveals the security risks for U.S. national security officials that can arise from an innocent typo. Personal information in the emails could be used to carry out targeted cyberattacks or to track the movements of Pentagon personnel – although there is no evidence that this happened in this case.
The Financial Times was the first to report on it.
Johannes “Joost” Zuurbier, a Dutch Internet entrepreneur, received the emails because his company had been hired to manage the .ML domain. Since 2013, Zuurbier said, he has raised the issue with various U.S. officials, including the U.S. Embassy in Mali earlier this year.
“Yes, I was worried, I still am!” Zuurbier said in an email to CNN when asked about possible security risks and misdirected emails.
Zuurbier’s contract to manage the .ML domain expired last week, he said, prompting him to raise media awareness of the issue.
None of the leaked emails were sent from official Department of Defense email addresses, but the department blocked its email accounts from sending .ml email addresses as a precaution, Pentagon Deputy Press Secretary Sabrina Singh said Monday.
She added that “the only thing that got through” was emails from personal accounts, like a Gmail or Yahoo account. The department strongly discourages the use of personal email accounts for official purposes, Singh said.
“The Department of Defense (DoD) is aware of this issue and takes all unauthorized disclosures of controlled national security information or controlled unclassified information seriously,” said Lt. Cmdr. Tim Gorman said in a statement to CNN earlier Monday.
Misaddressed emails have become less common in recent years, but they still arrive by the hundreds a day, Zuurbier said. Most emails are spam, but some are sensitive.
One of the misdirected emails contained hotel room numbers for Army Chief of Staff Gen. James McConville and his entourage during a May trip to Indonesia .
And while the U.S. government cannot prevent outside users from making typos in emails intended for the government, some of those who made the typos were U.S. government employees.
An email in Zuurbier’s hideout comes from an FBI agent and is intended for a U.S. Navy official, requesting personal information to process a Navy visitor at an FBI facility. The FBI agent uses the .ml domain.
CNN has asked the military and the FBI for comment. The Navy declined to comment.
The Department of Defense “has implemented policy, training and technical controls to ensure that emails from the ‘.mil’ domain are not sent to incorrect domains,” Gorman said in his statement.
“While it is not possible to implement technical controls preventing the use of personal email accounts for government business, the Department continues to provide guidance and training to DoD personnel,” the statement continued.
The Pentagon has no control over whether third parties incorrectly capture defense personnel’s email addresses, Gorman told CNN when asked about it.
It’s not the first time this year that the US military has faced an inadvertent email leak.
A trove of internal U.S. Special Operations Command emails were publicly available online for approximately two weeks in February due to a computer misconfiguration. The Pentagon fixed the issue after a private security researcher discovered the leak.