When A Typo Matters … Send Sensitive Military Information to Mali
When A Typo Matters … Sending Sensitive Military Information to Mali
10 years of sensitive data
I receive a good deal of incorrect emails on my Gmail account. Most of it relates to the gathering of war veterans in the US or church events in Illinois that I must attend. Why? Because someone, somewhere, has a similar email address to me. Perhaps it is Bill Buchan or Will Buchanan? Who knows, but I get them constantly, and where I discretely decline the invite and ask them to check the email address.
Overall, I never embarrass those who send me these emails by responding back to the whole group. Many times, there can be over 50 people that are copied into the email. It is all part of the silly world of email. But, when incorrect emails go to places with sensitive data, we must worry.
And, so, the Financial Times [here] has now disclosed that a typo in the definition of an email address has sent 100s of thousands of emails from its military domain (.MIL) to the Mali domain (.ML):
This includes sensitive documents, tax returns, travel information and password resets. It is thought that this has existed for over a decade and was discovered by Johannes Zuurbier (and who is in contact with those who managed the .ML domain), but only now is it being taken seriously by the US military. For this, he found over 117,000 misdirected email messages, which increases by over 1,000 messages by the day.
Johannes has had control of the ML domain for over 10 years and is the managing director of Amsterdam-based Mali Dili. For this, he will revert his control of the ML domain to the Mali government in the next few days. Johannes took over the Mali domain name in 2013, and noticed a great deal of activity from army.ml and navy.ml domains — and which did not exist at the time. He then informed the US authorities but heard nothing back. This year, he even contacted the Pentagon to report the problem, but still, nothing has moved.
Over the past decade, Johannes has found a wide range of highly sensitive information that includes the details of James McConville’s (the US Army’s chief of staff) trip to Indonesia in May 2023. He has also found that very few emails were marked as classified, or have any indication of the sensitivity of the information. Many, too, contained highly sensitive information about military personnel and their families, including X-rays and medical data, identity information, travel plans, criminal complaints, and a whole lot more.
There are two core scenarios here. The first is that the emails may have been sent within the MIL domain, and thus the email server should have checked the destination address, and bounced it back (or bounced the person to HR). The other — and most likely — is that these emails would have generally been sent from an external email provider — such as Gmail or Live, and never had the chance to reach the MIL email server. This, one would expect, is highly negligent, and I have seen many examples of clinicians sending highly sensitive patient information to their personal address — but sending it to the wrong person.
The FT reports that often travel agents mispelled the domain and that staff were often using their own accounts to send sensitive information, such as for an FBI agent who forwarded six messages to their military email, but actually sent them to the Mali domain.
Another worry for the US Military is that Mali is generally more aligned with Russia than it is to the US, and thus the handover of the domain could lead to a range of problems for intelligence leakage.
Conclusions
This is all about education, education, and education. Staff in companies must be informed about sending emails from their personal email addresses. Anyway, email is not a secure way of sending information. That should be done with end-to-end encryption and proper authentication.
If you do need to use email, sensitive information should be encrypted, and should only be readable though multi-factor authentication methods.
Postscript
Note, I support good journalism. The FT supports “Authority. Integrity. Accuracy.” Please consider a subscription, and keep good journalism alive: