Mil, Mali, Let’s Call the Whole Thing Off
A simple typo misdirected millions of emails intended for the US military.
CNN (“Common typo causes millions of emails intended for members of the US military to be sent to accounts in Mali“):
Millions of emails intended for Pentagon employees were inadvertently sent to email accounts in Mali over the last decade because of typos caused by the similarity of the US military’s email address and the domain for the West African country, according to a Dutch technologist who discovered the problem.
In some cases, sensitive information like hotel reservations for senior US military officials were revealed.
The emails were intended for owners of “.MIL” email accounts – the internet domain owned by the US military – but because of typos they were instead sent to the .ML domain, which handles email accounts in the West African country of Mali.
The email mishap reveals the security risks to US national security officials that can arise from an innocent typo. The personal information in the emails could be used to conduct targeted cyberattacks or to track the movements of Pentagon personnel – although there’s no evidence that happened in this case.
The Financial Times first reported on the issue.
Johannes “Joost” Zuurbier, a Dutch internet entrepreneur, received the emails because his company was contracted to manage the .ML domain. Since 2013, Zuurbier said, he has raised the issue with various US officials, including the US Embassy in Mali earlier this year.
“Yes, I was concerned, still am!” Zuurbier said in an email to CNN when asked about possible security risks and the misdirected emails.
Zuurbier’s contract to manage the .ML domain expired last week, he said, prompting him to raise awareness of the issue in the media.
None of the leaked emails were sent from official Department of Defense email addresses, but the department has blocked its email accounts from emailing .ml email addresses as a precaution, Deputy Pentagon Press Secretary Sabrina Singh said Monday.
She added that the “only thing that went through” were emails from personal accounts, like a Gmail or Yahoo account. The department strongly discourages using personal email accounts for official business, Singh said.
“The Department of Defense (DoD) is aware of this issue and takes all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously,” Lt. Cmdr. Tim Gorman said in a statement to CNN earlier on Monday.
The misdirected emails have grown less frequent in recent years, but still come by the hundreds per day, Zuurbier said. Many of the emails are spam, but some are sensitive.
One of the misdirected emails contained hotel room numbers for the Army chief of staff, Gen. James McConville, and his entourage on a trip they took in May to Indonesia.
The implications are serious, even if the story itself is amusing.
Still, misdirected email is a pretty standard problem, not limited to domain name typos. When I was working as a contractor for DISA many years ago, I got emails for a Navy lieutenant commander with my same name several times a week despite his being in Florida and me being in Virginia and mine having a .ctr right there in the email. Presumably, people were simply going to the Global Address List and not being too careful. And, for some reason, the guy who sold my houses four years ago suddenly started emailing me stuff clearly intended for other customers a few weeks back. After a few notes about the error, I just started ignoring them. Presumably, the other customers have similar letter combinations and autocomplete is the culprit.
It’s rare, indeed, that I type out an email address in a way that I could make the .mil/.ml mistake. Pretty much every email I send is to someone already in my address book—and I’m generally pretty careful to send it to the right one if there are multiples* for a given person—a reply to an email from someone else, or a situation where I can cut and paste the email address.
As to security, we all know that we’re not supposed to send sensitive information over uncontrolled networks. But I’d really need to know the circumstances around the McConville email. Who sent it? Under what circumstances?
As to Zuurbier, good on him for alerting the US government about the issue. But, while I fully understand why an administrator would monitor the number of misdirected emails going to the domain he was managing, how did he know what was in the emails?
*Aside from colleagues for whom I have both a business and personal address, all of us at MCU have both a .edu account and one associated with the library.