A simple typo in email addresses has led to a significant security lapse within the US military, resulting in the unintended delivery of millions of emails containing sensitive information to Mali, as confirmed by the Pentagon. The error stems from mistyping the US military's ".MIL" domain as ".ML," the country code top-level domain (ccTLD) for Mali. This seemingly minor mistake has exposed unclassified yet sensitive data, including diplomatic correspondence, tax documents, passwords, and travel itineraries of high-ranking officers, as initially reported by the Financial Times.
The Pentagon acknowledged the issue, emphasizing that emails sent outside the ".MIL" domain are generally blocked. They stated that policies, training, and technical controls are in place to prevent such misdirected emails. Emails sent to incorrect domains are blocked, and senders receive notifications to verify recipient addresses.
While the Pentagon's statement highlighted the technical measures in place, it also acknowledged the challenge of preventing the use of personal email accounts for official business. Guidance and training continue to be provided to personnel on this matter, overseen by the Department of Defense Chief Information Officer (CIO).
Johannes Zuurbier, a Dutch entrepreneur managing Mali's domain, first brought the leaks to light. He reported collecting at least 117,000 misdirected Pentagon emails since January, with many more in preceding years. Zuurbier underscored the potential risk, stating, "This risk is real and could be exploited by adversaries of the US." He also warned that his decade-long contract managing Mali's ".ML" domain is expiring, transferring control to the Malian government, which has close ties with Russia.
This incident follows closely on the heels of another cybersecurity breach where China-based hackers accessed US government emails through a Microsoft cloud system. Microsoft's investigation into this breach is ongoing, and the Biden administration has pledged to hold those responsible accountable.
Microsoft confirmed that the hacking group, identified as Storm-0558, compromised roughly 25 organizations, including US government agencies.
