Facebook Twitter (X) Instagram Somali Magazine - People's Magazine
Somalia’s recently launched electronic visa system is facing serious security concerns after it was found to lack basic protections, leaving sensitive personal information exposed and vulnerable to misuse. The weakness could allow malicious actors to download large numbers of e-visas that contain private details such as passport information, full names, and dates of birth, raising fears about identity theft, fraud, and intelligence gathering.
Al Jazeera confirmed the vulnerability this week after receiving a tip from a source with experience in web development. The source shared evidence showing how personal data could be accessed and also demonstrated that they had alerted Somali authorities about the problem last week. Despite these warnings, the source said they received no response and the security flaw remained unaddressed.
To verify the claims, Al Jazeera independently tested the system and was able to reproduce the same weakness. Within a short time, it was possible to download e-visas belonging to dozens of individuals. The affected applicants came from several countries, including Somalia, Portugal, Sweden, the United States, and Switzerland. Each document contained highly sensitive personal details that could be exploited if they fell into the wrong hands.
Digital rights experts have warned that such breaches carry serious risks. Bridget Andere, a senior policy analyst at the digital rights organization Access Now, said incidents involving personal data can have long-lasting consequences for individuals. She noted that exposed information can be used for identity theft, financial fraud, or surveillance by hostile actors, especially in politically sensitive contexts.
The latest discovery is particularly troubling because it comes just one month after Somali authorities acknowledged a previous breach of the same e-visa system. That earlier incident led to the exposure of information belonging to more than 35,000 visa applicants, prompting warnings from both the United States and the United Kingdom. According to the U.S. Embassy in Somalia, the leaked data included names, photographs, dates and places of birth, email addresses, marital status, and home addresses.
Following that breach, Somalia’s Immigration and Citizenship Agency moved the e-visa platform to a new domain, saying the change was meant to strengthen security. On November 16, the agency announced it had launched an investigation and said it was treating the matter with “special importance.” However, the newly identified vulnerability suggests that deeper security problems remain unresolved.
Al Jazeera said it contacted the Somali government again to share its findings and ask for comment, but no response was received. Because the flaw has not yet been fixed, the outlet chose not to publish technical details that could enable hackers to exploit the system further. Any sensitive information accessed during the investigation was destroyed to protect the privacy of those affected.
Andere criticized what she described as a pattern of rushing to deploy digital systems without fully considering security and data protection. She said launching an e-visa platform before it is properly secured, and then relaunching it after a major breach without transparent communication, can damage public trust and put people at unnecessary risk. She also expressed concern that Somali authorities have not issued a clear public notice about the earlier breach, despite legal requirements to inform both regulators and affected individuals.
Under Somalia’s data protection law, organizations responsible for handling personal data are required to notify the data protection authority when breaches occur. In cases involving high risk, individuals whose data may have been compromised should also be informed. Andere emphasized that extra safeguards are especially important when systems handle data from people of different nationalities, as this can involve multiple legal jurisdictions.
She added that ordinary users have little ability to protect themselves in such situations because the information exposed is data they are required to provide in order to apply for a visa. As more governments adopt digital visa systems, experts warn that cybersecurity and privacy protections must be treated as essential, not optional, to avoid repeating the same costly mistakes.