A typo error has seen US-sensitive Pentagon messages being redirected to a company that runs the Malian government’s internet domain
Sensitive documents such as diplomatic documents, tax returns, passwords, and the travel details of top officials of the US Army have been misdirected to Mali via a “typo leak”
The itinerary concerning the trip to Indonesia of an army general, James McConville, who happens to be the army’s chief of staff, was also among the leaked document. The list of hotel rooms for the general and twenty others, as well as details on how to collect his keys at the Grand Hyatt in Jakarta.
A Dutch, named Johannes Zuurbier, contracted to Malian government to manage the country’s domain, having collected misdirected emails – nearly 11,700 of them, forwarded them to the government to demonstrate how bad the problem is, and despite this being reported over a decade ago, seems no attention was paid to it.
Most alarming of all is the close ties the Mali government share with the Russian government, and the risk it may pose if such information has found its way into the wrong hands.
Despite repeated warnings over a decade, a steady flow of email traffic continued to .ML domain, the country identifier for Mali, as a result of people mistyping .MIL, suffix to all US military email addresses.
Zuurbier soon after taking up the contract to manage the Mali domain in 2013, noticed traffic coming in for army.ml and navy.ml. He reported the problem to a senior adviser to US cyber security agency as well as White House officials but nothing happened. His email included x-rays and other medical data, info from ID documents, crew lists for military vessels, staff list for military bases, tax/financial records, maps of installations, criminal complaints, and internal investigations
The control of the domain will revert to Mali on Monday from Zuurbier which is closely allied to Russia and Malian authorities will be able to gather the misdirected emails. The Malian government did not respond to requests for comments as of the time of posting this update
Mike Rogers, a retired American admiral who gave his voice said “If you have this kind of sustained access, you can generate intelligence even just from unclassified information”
“This is not common” he added. “It is not out of the norm that people make mistakes but the question is the scale, the duration, and the sensitivity of the information”
Rogers warned that the transfer to Mali posed a significant problem. “It’s one thing when you are dealing with a domain administrator who is trying, and even unsuccessfully, to articulate a concern,” said Rogers. “It’s another when a foreign government that… sees it as an advantage which they can use.
A spokesperson for Pentagon, Lt Cmdr. Tim Gorman said the Department of Defense “is aware of the issue and takes all unauthorized disclosures of controlled national security information or controlled unclassified information seriously”
He said that the emails sent directly from the .mil domain to the Malian addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients”.
This problem appears to be from contractors and staff members who send emails from outside accounts and non-military systems, so the emails don’t get blocked
An FBI agent also sent a global counter-terrorism briefing marked “Not Releasable to the Public or Foreign Governments,” and a sensitive briefing on efforts by Iran’s IRDGC to use Iranian students and the Telegram messaging app to conduct espionage in the US
Other misdirected emails include updates from the defense contractor General Dynamics about production of grenade-training cartridges, and emails from, State Dept.’s special issuances agency that contained passport numbers; the agency issues docs to diplomats and the other government officials. And still more misdirected emails included clear text passwords needed to access documents hosted on the Department of Defense’s secure access file exchange