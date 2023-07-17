More than 100,000 U.S. military emails containing sensitive information on personnel, travel itineraries, and financial records this year have been leaked to a Mali-based domain all because of an apparent typo.

The emails are intended to reach the military's .MIL domain, but have instead flowed into addresses ending with .ML -- the country identifier for Mali, the Financial Times reported.

Johannes Zuurbier, a Dutch internet entrepreneur contracted to oversee Mali's national domain, told the FT he first noticed the issue about a decade ago, and has seen millions of the misaddressed emails pour into the .ML domain.

He has recorded more than 117,000 emails since January as he continues to push U.S. officials to take a serious look at the problem.

Mali's government -- which has close ties to Russia -- is expected to take control of the .ML domain on Monday when Zuurbier's 10-year contract expires. Malian officials did not respond to the Times' requests for comment.

“This risk is real and could be exploited by adversaries of the U.S.," Zuurbier wrote in a letter to the U.S. officials this month.

None of the misdirected correspondence is considered classified, and most of it is spam, according to the paper.

However, some of the emails contain key information about active military personnel, their families, and government-hired contractors.

Medical data, identifying document information, base staff lists, photos of bases, contracts, criminal complaints against military personnel, inspection reports, ship crew lists, travel itineraries, and tax records, among other pieces of information, are all included in the emails, according to the FT.

One email earlier this year included travel plans for Gen. James McConville, the Army's chief of staff, and his delegation ahead of a trip to Indonesia in May, the outlet reported.

McConville's itinerary, the delegation's list of room numbers, and details on how the delegation will collect room keys at their hotel were all in the email.

“If you have this kind of sustained access, you can generate intelligence even just from unclassified information," Mike Rogers, a retired admiral who used to oversee the National Security Agency and the Army's Cyber Command, told the Times.

“This is not uncommon,” he added. “It’s not out of the norm that people make mistakes but the question is the scale, the duration and the sensitivity of the information.”

Rogers also said the domain falling back to Malian control raises serious concerns.

“It’s one thing when you are dealing with a domain administrator who is trying, even unsuccessfully, to articulate the concern,” he told the Times. “It’s another when it’s a foreign government that . . . sees it as an advantage that they can use.”

Other emails sent to Mali came from military personnel attempting to send emails between their official and personal email accounts.

About a dozen people requested recovery passwords to an intelligence software system that were ultimately sent to Mali, and some sent passwords that allow users to access files kept by the Department of Defense, per the FT.

Lt. Commander Tim Gorman, a spokesman for the Pentagon, told the publication the Department of Defense is “is aware of this issue and takes all unauthorized disclosures of controlled national security information or controlled unclassified information seriously.

Emails sent from the .MIL domain to the .ML addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients," Gorman said.

According to Gorman, it is "not possible to implement technical controls preventing the use of personal email accounts for government business."

But, he added, "the department continues to provide direction and training to DoD personnel.”

According to the Times, the domain army.ml is also just a letter away from army.nl, the domain used by the Dutch army.

More than a dozen emails collected by Zuurbier came from Dutch military personnel. The Dutch defense department did not respond to a request for comment from the FT.

There were also eight emails from the Australian Department of Defense intended for U.S. officials. The agency told the outlet it does "not comment on security matters."