A newly identified security flaw in Somalia’s electronic visa platform has raised serious concerns about the safety of personal data belonging to thousands of travelers, only weeks after the country acknowledged a major breach affecting tens of thousands of applicants. Investigations show that the Somalia e-visa system lacks essential protection methods, making it possible for unauthorized users to access and download sensitive documents with minimal effort.
The Somalia e-visa flaw was confirmed this week by Al Jazeera after receiving a tip from a source with professional experience in web development. According to the source, the e-visa platform could be exploited to retrieve large numbers of visa files containing highly sensitive personal information. The exposed data includes applicants’ passport details, full names, and dates of birth, information that could be misused for a wide range of criminal or intelligence-related activities.
Ignored Warnings Followed by Independent Verification of Global Data Exposure
The source not only shared evidence of the exposed data with Al Jazeera but also demonstrated that they had formally alerted Somali authorities to the e-visa vulnerability the previous week. Despite these warnings, the individual stated that there was no response from officials and no indication that the flaw had been addressed or corrected.
Al Jazeera independently verified the claims by replicating the vulnerability described by the source. During testing, journalists were able to download e-visas belonging to dozens of individuals within a short period. The compromised files included personal information of applicants from several countries, including Somalia, Portugal, Sweden, the United States, and Switzerland.
“Breaches involving sensitive personal data are particularly dangerous as they put people at risk of various harms, including identity theft, fraud, and intelligence gathering by malicious actors,” Bridget Andere, a senior policy analyst at the digital rights organization Access Now, said in comments to Al Jazeera. She noted that the consequences of such failures extend beyond technical problems and can have lasting effects on individuals’ safety and privacy.
Somalia E-Visa Vulnerability Emerges as Fallout Continues from Earlier Mass Data Breach
The Somalia e-visa flaw comes barely a month after Somali officials announced an inquiry into an earlier cyberattack on the same e-visa system. That previous incident prompted warnings from both the United States and the United Kingdom governments. According to those alerts, personal information belonging to more than 35,000 Somalia e-visa applicants had been leaked.
At the time, the US Embassy in Somalia detailed the scope of the exposure, stating that the compromised data included applicants’ names, photographs, dates and places of birth, email addresses, marital status, and home addresses.
In response, Somalia’s Immigration and Citizenship Agency (ICA) moved the e-visa platform to a new internet domain, citing the change as an effort to strengthen security. On November 16, the agency said it was treating the breach with “special importance” and confirmed that an investigation had been launched. However, the discovery of a fresh e-visa vulnerability suggests that the underlying security issues may not have been fully resolved.
Security Claims Clash with Legal Duties
Earlier that same week, Somalia’s Defence Minister, Ahmed Moalim Fiqi, publicly praised the Somalia e-visa system. He claimed it had played a role in preventing ISIL (ISIS) fighters from entering the country, as Somali forces continued a months-long battle against a local affiliate of the group in the northern regions.
“The government’s push to deploy the e-visa system despite being clearly unprepared for potential risks, then redeploying it after a serious data breach, is a clear example of how disregard for people’s concerns and rights when introducing digital infrastructures can erode public trust and create avoidable vulnerabilities,” Andere said. She also expressed alarm that Somali authorities had not issued any formal public notice about the serious November data breach.
Under Somalia’s data protection law, data controllers are required to notify the national data protection authority when breaches occur. In high-risk cases, such as incidents involving sensitive personal data, affected individuals must also be informed. “Extra protections should apply in this case because it involves people of different nationalities and therefore multiple legal jurisdictions,” Andere added.
Al Jazeera said it could not disclose specific technical details of the current security flaw, as the vulnerability remains unpatched, and publicizing it could enable further exploitation. Any sensitive information obtained during the investigation was destroyed to protect the privacy of those affected.