By Editor-Friday July 28th, 2023.
Millions of US military emails containing potentially secret information have been mistakenly sent to Mali, a Russian ally in Africa, because of a small, but crucial typing error.
Emails intended for the US military’s “.mil” domain have, for years, been sent to the west African country which ends with the “.ml” suffix.
Some of the emails reportedly contained sensitive information such as passwords, medical records and the itineraries of top officers.
The Pentagon said it had taken steps to address the issue.
Since 2013, he has had a contract to manage Mali’s country domain and, in recent months, has reportedly collected tens of thousands of misdirected emails.
None were marked as classified, but, according to the newspaper, they included medical data, maps of US military facilities, financial records and the planning documents for official trips as well as some diplomatic messages.
Mr Zuurbier wrote a letter to US officials this month to raise the alarm. He said that his contract with the Mali government was due to finish soon, meaning “the risk is real and could be exploited by adversaries of the US”.
Mali’s military government was due to take control of the domain on Monday.
Mr Zuurbier has been approached for comment.
US military communications that are marked “classified” and “top secret” are transmitted through separate IT systems that make it unlikely they will be accidently compromised, according to current and former US officials.
But Steven Stransky, a lawyer who previously served as senior counsel to the Department of Homeland Security’s Intelligence Law Division, said that even seemingly harmless information could prove useful to US adversaries, particularly if it included details of individual personnel.
Lee McKnight, a professor of information studies at Syracuse University, said he believed the US military was fortunate that the issue was brought to its attention and the emails were going to a domain used by Mali’s government, rather than to cyber criminals.
He added that “typo-squatting” – a type of cyber-crime that targets users who incorrectly misspell an internet domain – is common. “They’re hoping that a person will make a mistake, and that they can lure you in and do stupid things,” he said.
When contacted by the BBC, a spokesperson said the defence department was aware of the issue and it was being taken seriously.
They said the department had taken steps to ensure that “.mil” emails are not sent to incorrect domains, including blocking them before they leave and notifying senders that they must validate intended recipients.
Both Mr McKnight and Mr Stransky said human errors were prime concerns for IT specialists working in government and the private sector alike.
“Human error is by far the most significant security concern on a day-to-day basis,” Mr Stransky said. “We just can’t control every single human, every single time”.
Sources: News agencies, BBC, The Independent.