A common typo within the U.S. military has misdirected millions of emails and messages containing sensitive information to the African country of Mali, the Pentagon confirmed Monday.
The issue comes from the U.S. military’s “.MIL” domain name used for emails, which is commonly mistyped as “.ML,” the domain for Mali. The leak has resulted in the exposure of unclassified but sensitive information, such as diplomatic documents, tax returns, passwords and the travel details of top officers, according to an initial report from the Financial Times.
The Pentagon acknowledged the issue in a statement to Fox News on Monday, saying emails sent outside the “.MIL” domain are typically blocked.
“The Department of Defense is aware of this issue and takes all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously. DoD has implemented policy, training, and technical controls to ensure that emails from the “.mil” domain are not delivered to incorrect domains. Such emails are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients,” the Pentagon said.
“While it is not possible to implement technical controls preventing the use of personal email accounts for government business, the Department continues to provide direction and training to DoD personnel. The office of the DoD CIO oversees this matter,” the statement continued.
News of the leaks first came from Johannes Zuurbier, a Dutch entrepreneur who manages Mali’s domain. Zuurbier told FT that he has collected at least 117,000 emails from within the Pentagon since January alone, and many more in years prior.
“This risk is real and could be exploited by adversaries of the US,” he told the outlet.
Zuurbier warned that his 10-year contract to manage Mali’s domain expires this week, at which point control will revert to Mali’s government, which is closely allied with Russia.
News of the leak comes just days after China-based hackers gained access to U.S. government emails through a Microsoft cloud system. Microsoft is still investigating the source of the breach, but President Biden’s administration has vowed consequences for those responsible.
Microsoft stated last week that a China-based hacking group it identified as Storm-0558 breached email accounts from approximately 25 organizations, including U.S. government agencies.