What is the story of the NSFW image mishap?

A young employee at a major bank mistakenly sent an NSFW image to the entire company due to an autofill typo, but the IT team managed to scrub the message, sparing the employee from top management's eyes.

What caused data leaks due to typos?

Over the course of a decade, emails tied to the US military were landing in Mali, West Africa, due to a consistent series of typos. Senders mistyped the .MIL domain as .ML, the country code for Mali, causing a cascading effect when replying or using autofill.

Who is Johannes Zuurbier?

Johannes Zuurbier, a Dutch entrepreneur, managed Mali's top-level domain and persistently warned the US military about the email typo issue. He even built a system to intercept misdirected emails containing sensitive information.

What type of information was exposed?

The misdirected emails contained sensitive data such as diplomatic documents, tax returns, credentials, travel plans of top military officials, as well as information on US military personnel, contractors, and their families.

What's being done to address the issue?

Zuurbier's contract with Mali is ending, and the authorities in Mali will gain access to the misdirected emails. The military is also taking steps to block the .ML domain from their networks, but the issue highlights the need for a combination of awareness and technical controls.

Knowledge

Fun story, Serious Risk of data leak via email typos: US military emails go to Mali

published: Aug. 7, 2023

Take action: We are all rushing to send an email, and the autofill function is great for entering the recepients. But if you are working with sensitive data, stop before clicking send, and re-read the recepient list. Out loud to yourself if needed. The twenty seconds of reading can save you hours and days of interviews with cybersecurity, lawyers and typing up reports.

Learn More

Let's start with a real event that happened about a decade ago in a major bank. A young employee wanted to send a NSFW image to her friend on email. She accidentally sent the image to the entire company due to a typo in the autofill feature which caused the email to be sent to 'all@company.com' instead of 'alexandra@company.com'.

It's a happy-end story, since fortunately for the employee, the IT team managed to scrub the message by marking it spam so top management didn't see it.

Now, back to reality and the not so funny data leaks that happen because of typos. For staggering ten years, a stream of emails related to the US military has been landing in Mali, West Africa. All this because of a series of unfortunate events:

Senders frequently mistyped the military’s .MIL domain to their recipient’s email address, people frequently type .ML, the country identifier for Mali.
The problem cascades every time someone clicks reply or reply to all.
Modern mail clients remember email addresses for autofill, so people are stuck with the wrong autofill address until they purge the wrong email from the cache.

Enter Johannes Zuurbier, a Dutch entrepreneur who's been waving the cybersecurity red flag for years at the US military. He was contracted by Mali to manage their top level domain. He warned time and again about the mistyped emails.

He even built a system to catch these misdirected emails so they can be safely destroyed, but it "was rapidly overwhelmed and stopped collecting messages.” Since January 2023 alone, Zuurbier has intercepted 117,000 misdirected emails, several of which contain sensitive information related to the US military.

Despite his efforts, the emails kept making their way to the wrong destination. But this isn't just a matter of missent NSFW images. The emails contain serious stuff:

diplomatic documents,
tax returns,
credentials
travel plans of top military officials.
data on serving US military personnel, contractors and their families.
X-rays and medical data,
identity document information,
crew lists for ships,
staff lists at bases,
maps of installations,
photos of bases,
naval inspection reports,
contracts,
criminal complaints against personnel,
internal investigations into bullying,

It's like accidentally sharing the corporate office with the whole world.

Now, Zuurbier's contract with Mali is wrapping up, and guess who's next in line? The Malian authorities, who have a cozy connection with Russia.

Currently the military is trying to fix the problem by blocking the ML domain from the military networks and servers. But that doesn't help much for the massive number of external contacts that send mail to the mlitary and may also mistype.

It's one of those issues where awareness and technical controls need to go hand in hand, because technology alone simply wont' help.

Fun story, Serious Risk of data leak via email typos: US military emails go to Mali

Read More
Mobile Security Threats Every Smartphone User Should Know …
State of (in)security - Week 4, 2024
State of (in)security - Week 4, 2025
State of (in)security - Week 44, 2025
2024 New year resolution for security - One …