WASHINGTON — A simple typo caused millions of emails intended for Pentagon employees to be inadvertently sent to email accounts in Mali, according to a Dutch technologist who discovered the problem.
The emails were intended for “.mil” accounts, the internet domain owned by the U.S. military. The typo caused the emails to be sent instead to “.ml” accounts, which is the email domain for the West African country of Mali.
None of the emails are said to be classified, according to The Financial Times, which first reported the story. Details of the emails range from diplomatic documents, tax returns, passwords and travel details of senior military officials.
The problem was first noticed almost a decade ago by Johannes Zuurbier, a Dutch internet entrepreneur, who has a contract to manage Mali’s domain.
He told The Financial Times that he has been collecting misdirected emails since January to persuade the U.S. to take the issue seriously. He holds close to 117,000 misdirected messages.
Some other contents of the emails include X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records.
One of the misdirected emails contained travel plans for Gen. James McConville, the Army chief of staff, and his delegation on a trip to Indonesia in May.
“None of the leaked emails that were reported came from a [Defense Department] email address,” Deputy Pentagon Press Secretary Sabrina Singh said Monday.
When a Defense Department email address is used to send something to a .ml address, the email will bounce back because it can’t be sent to that address, Singh said. Personal accounts do not offer the same protection.
Lt. Cmdr. Tim Gorman said Wednesday that the Defense Information Systems Agency, or DISA, at the start of the year was blocking outbound emails to 135 accounts within the .ml subdomains. Earlier in July, DISA began blocking outbound email to the entire .ml domain but procedures were put in place to allow legitimate business emails to be sent. Emails that originate outside of the Defense Department network and sent to a .ml address are out of the Pentagon’s control.
“The [Defense Department] is reinforcing to all personnel that personal email accounts should not be utilized to store and process sensitive unclassified information,” Gorman said.
The latest email incident comes after the Pentagon in February discovered U.S. Special Operations Command emails were publicly available online for about two weeks because of an information technology misconfiguration.
The Pentagon is already dealing with fallout of a military documents breach. Massachusetts Air National Guard member Jack Teixeira is accused of accessing, keeping and sharing classified national defense information on various social media sites. The information included documents related to the war in Ukraine. He pleaded not guilty in June to charges.