Millions of emails meant for U.S. military personnel were inadvertently sent to email accounts in Mali over the past 10 years due to typos caused by how similar Pentagon email addresses are to the domain for the African country, according to multiple reports.
The misdirected emails included sensitive information such as diplomatic documents, medical data, maps and photos of installations, identity document information, passwords, tax returns and hotel reservations for senior officers, according to Johannes Zuurbier, a Dutch technologist who discovered the problem in 2013.
Zuurbier, who manages Mali’s country domain, told the Financial Times that he tried to warn the Pentagon multiple times about the problem, in which email traffic meant for the .MIL domain — which ends all U.S. military email addresses — instead goes to the .ML domain, the country identifier for Mali.
The Hill has reached out to Zuurbier, but he did not immediately respond to a request for more information.
Asked about the mix-up Monday, Pentagon deputy press secretary Sabrina Singh said the Defense Department is “aware of these unauthorized disclosures of controlled national security information.”
She stressed that “none of the leaked emails that were reported came from a [Department of Defense] DOD email address” and instead came from employees’ personal accounts, such as those from Gmail and Yahoo.
“We always discourage people from using their personal emails. Official work should be done on official channels and under official emails,” Singh said. “That’s something that we’ve always emphasized.”
She added that after the leak of hundreds of classified and top-secret documents on the video gamer website Discord earlier this year, the Pentagon “implemented policy and training mechanisms” on the DOD systems.
As part of that, if an individual mistakenly sends a message from an .MIL email address to an .ML email address, “it will bounce back. So a DOD email address will not be able to send to that email address,” she noted.
Still, emails meant for Pentagon employees continue to flow to Mali’s domain, according to Zuurbier. He told the Times he has been collecting misdirected emails since January to warn U.S. officials of the issue, and earlier this month sent a letter cautioning: “This risk is real and could be exploited by adversaries of the US.”
He said he has around 117,000 misdirected messages, including nearly 1,000 that arrived July 12.
The situation is made more urgent Monday as Zuurbier was set to lose control of the .ML domain, which was due to revert to Mali’s government.
The Western Africa nation is an ally with Russia and will now be able to collect the mistakenly sent emails. The country did not respond to the Times’s requests for comment.
While most of the emails are spam, some hold information on current U.S. military personnel, contractors and their families, according to Zuurbier.