Millions of US military emails have been mistakenly sent to Mali, a Russian ally, because of a minor typing error.
Emails intended for the US military’s “.mil” domain have, for years, been sent to the west African country which ends with the “.ml” suffix.
Some of the emails reportedly contained sensitive information such as passwords, medical records and the itineraries of top officers.
The Pentagon said it had taken steps to address the issue.
According to the Financial Times, which first reported the story, Dutch internet entrepreneur Johannes Zuurbier identified the problem more than 10 years ago.
Since 2013, he has had a contract to manage Mali’s country domain and, in recent months, has reportedly collected tens of thousands of misdirected emails.
None were marked as classified, but, according to the newspaper, they included medical data, maps of US military facilities, financial records and the planning documents for official trips as well as some diplomatic messages.
Mr Zuurbier wrote a letter to US officials this month to raise the alarm. He said that his contract with the Mali government was due to finish soon, meaning “the risk is real and could be exploited by adversaries of the US”.
Mali’s military government was due to take control of the domain on Monday.
Mr Zuurbier has been approached for comment.
US military communications that are marked “classified” and “top secret” are transmitted through separate IT systems that make it unlikely they will be accidently compromised, according to current and former US officials.
But Steven Stransky, a lawyer who previously served as senior counsel to the Department of Homeland Security’s Intelligence Law Division, said that even seemingly harmless information could prove useful to US adversaries, particularly if it included details of individual personnel.
“Those sorts of communications would mean that a foreign actor can start building dossiers on our own military personnel, for espionage purposes, or could try to get them to disclose information in exchange for financial benefit,” Mr Stransky said. “It’s certainly information that a foreign government can use.”
Mali has become increasingly close with Russia since a 2020 coup unseated its former government
Lee McKnight, a professor of information studies at Syracuse University, said he believed the US military was fortunate that the issue was brought to its attention and the emails were going to a domain used by Mali’s government, rather than to cyber criminals.
He added that “typo-squatting” – a type of cyber-crime that targets users who incorrectly misspell an internet domain – is common. “They’re hoping that a person will make a mistake, and that they can lure you in and do stupid things,” he said.
When contacted by the BBC, a spokesperson said the defence department was aware of the issue and it was being taken seriously.
They said the department had taken steps to ensure that “.mil” emails are not sent to incorrect domains, including blocking them before they leave and notifying senders that they must validate intended recipients.
Both Mr McKnight and Mr Stransky said human errors were prime concerns for IT specialists working in government and the private sector alike.
“Human error is by far the most significant security concern on a day-to-day basis,” Mr Stransky said. “We just can’t control every single human, every single time”.