July 18, 2023
Millions of emails containing sensitive information such as passwords and medical records have been mistakenly sent to the West African country Mali because of a minor typo, according to media reports.
The emails which were to be sent for the US military domain ".mil" were sent to a domain named ".ml" suffix.
The US defence institution Pentagon said it had taken steps to address the issue.
The issue was identified by a Dutch internet entrepreneur Johannes Zuurbier more than 10 years ago, according to Financial Times.
Since 2013, the entrepreneur has had a contract to manage Mali's country domain and, has reportedly tens of thousands of emails in recent months.
Although none of the emails mentioned were classified, they included maps of US military facilities, financial records, and documents pertaining to official trips with diplomatic messages.
This month a letter was written by Zuurbier to US officials in which he said that his contract with the Mali government was due to finish soon, meaning "the risk is real and could be exploited by adversaries of the US".
Mali's government is to take control of the domain Monday.
US former and incumbent officials noted that military communications that are marked "classified" or "top secret" are conveyed through separate IT systems so that they could not be compromised.
Steven Stransky, a lawyer who previously served as senior counsel to the Department of Homeland Security's Intelligence Law Division, said that even seemingly harmless information could prove useful to US adversaries, particularly if it included details of individual personnel.
"Those sorts of communications would mean that a foreign actor can start building dossiers on our own military personnel, for espionage purposes, or could try to get them to disclose information in exchange for financial benefit," Stransky said, adding that "it's certainly information that a foreign government can use."
Lee McKnight, a professor of information studies at Syracuse University, said he believed the US military was fortunate that the issue was brought to its attention and the emails were going to a domain used by Mali's government, rather than to cybercriminals.
He added that "typo-squatting" — a type of cybercrime that targets users who incorrectly misspell an internet domain — is common.
"They're hoping that a person will make a mistake and that they can lure you in and do stupid things," he said.