Millions of US military emails were misdirected to Mali due to a "typo leak" that revealed extremely sensitive information such as diplomatic documents, tax returns, passwords, and top officials' travel data.
 
Despite repeated warnings over a decade, a steady flow of email traffic continues to the .ML domain, the country identifier for Mali, as a result of people mistyping .MIL, the suffix to all US military email addresses.
 
Johannes Zuurbier, a Dutch internet entrepreneur with a contract to maintain Mali's country name, spotted the problem about a decade ago, and has been collecting misdirected emails since January to persuade the US to take the matter seriously. Around 117,000 misdirected messages are in his possession and almost 1,000 were sent on Wednesday alone. 

Zuurbier keeping emails away from Mali, US does not respond

In a letter to the US in early July, he wrote, "This risk is real and could be exploited by adversaries of the US." Moreover, control of the .ML domain will revert to Mali's government, which is close to Russia, on Monday. Malian authorities will be able to collect the misdirected emails after Zuurbier's 10-year management contract expires. 
 
Zuurbier, the managing director of Mali Dili, an organzation in Amsterdam, has frequently approached US officials, including a defense attaché in Mali, a top advisor to the US national cyber security service, and even White House officials.

Read next: Pentagon refuses to say if leaked data were seized by rivals: Report

The email flow is spam and none are marked as classified, but the messages have highly sensitive data concerning the service of US military personnel, contractors, and their families. 
 
X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records are all part of their contents.

Related News

Trump rejects $15mln settlement offer in $20bln Paramount lawsuit

US gives Harvard 30 days to challenge ban on foreign student program

'How sensitive is the information is what's important': US Army's Cyber Command

A retired American admiral who previously led the National Security Agency and the US Army's Cyber Command, Mike Rogers, stated that "If you have this kind of sustained access, you can generate intelligence even just from unclassified information," adding that "This is not uncommon... It’s not out of the norm that people make mistakes but the question is the scale, the duration, and the sensitivity of the information.”

For example, one misdirected email included the travel plans for General James McConville, the chief of staff of the United States Army, and his delegation for a May visit to Indonesia. The email included a complete list of room numbers, McConville's schedule, and information about picking up McConville's hotel key at the Grand Hyatt Jakarta, where he obtained a VIP upgrade to a grand suite.

Read next: Leaked classified docs undermine US relations, credibility with allies
 
Rogers cautioned that Mali's control over the messages was a problem, explaining that "It's one thing when you're dealing with a domain administrator who is attempting, albeit unsuccessfully, to articulate the issue...It's another thing when it's a foreign government that... sees it as an advantage that they can use."
 
According to Lt. Cmdr Tim Gorman, a Pentagon spokesperson, the Pentagon "is aware of this issue and takes all unauthorized disclosures of controlled national security information or controlled unclassified information seriously." He explained that the emails sent directly from the .mil domain to Malian addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients."

How did Zuurbier detect the misdirected emails?

When Zuurbier took over the Mali country code in 2013, he quickly saw requests for domains such as army.ml and navy.ml, which did not exist. He had previously overseen similar operations for Tokelau, the Central African Republic, Gabon, and Equatorial Guinea. Suspecting it was email, he set up a system to catch any such correspondence, which quickly became overburdened and ceased collecting messages.
 
Zuurbier claims that after learning what was going on and seeking legal assistance, he made many attempts to notify US authorities. According to the Financial Times, he handed a copy of the legal advice to his wife "just in case the black helicopters landed in my backyard."
 
In order to enlist the assistance of Dutch diplomats, he joined a trade mission from the Netherlands in 2014. He made another attempt to warn US officials in 2015, but it was futile. Zuurbier resumed collecting misaddressed emails this year in a final attempt to inform the Pentagon.

FBI files leaked

The data flow reveals certain consistent sources of leakage. Emails are frequently misspelled by military travel agencies. Employees sending emails between their own accounts are another issue.
 
One FBI agent with a naval background attempted to transmit six texts to their military email and inadvertently sent them to Mali. One of them was an urgent diplomatic communication from Turkey to the US State Department concerning possible operations by the Kurdistan Workers' Party (PKK) against Turkish interests in the US.
 
When passing notes, one FBI agent frequently mistyped their own email, including a notice from the Turkish embassy in Washington on probable activity by a recognized terrorist group.

The same person also forwarded a series of briefings on domestic US terrorism marked “For Official Use Only” and a global counter-terrorism assessment headlined “Not Releasable to the Public or Foreign Governments.” 
 
Gorman told the FT: “While it is not possible to implement technical controls preventing the use of personal email accounts for government business, the department continues to provide direction and training to DoD personnel.”

What kind of emails were leaked?

A dozen persons requested recovery credentials for an intelligence community system that was accidentally delivered to Mali. Others provided passwords for documents stored on the Department of Defense's secure access file exchange system. The credentials were never used by the FT.

Many of the emails are from commercial firms that work with the US military. General Dynamics gave the army twenty routine reports on the production of grenade training cartridges.

Some emails include passport numbers sent by the state department's special issuances bureau, which grants documents to diplomats and others traveling on official business for the United States.

The Dutch army operates under the domain army.nl, which is one keystroke away from army.ml. More than a dozen emails from serving Dutch forces include discussions with Italian counterparts regarding an ammo pickup in Italy and detailed exchanges about Dutch Apache helicopter operators in the United States. Others included conversations about future military procurement possibilities and a protest about the probable vulnerability of a Dutch Apache unit to cyber attack.

Eight emails from the Australian Department of Defense were misdirected to US recipients. An artillery manual "carried by command post officers for each battery" was among those.