Al Jazeera has revealed a critical security flaw in Somalia newly revamped electronic visa website, enabling unauthorised access to thousands of applicants’ sensitive personal data, including passport details, full names and birth dates.
The discovery comes just a month after a major data breach hit the same system, raising fresh concerns over the government digital infrastructure.
The vulnerability, confirmed by the news outlet this week, stems from inadequate security measures on the platform, which was relaunched in November following the earlier hack. According to Al Jazeera, the issue allows nefarious actors to easily download e-visas en masse, potentially exposing individuals to identity theft, fraud and other risks.
Tip from whistleblower sparks probe
The investigation began after a tip from a web development expert, who alerted Somali authorities last week but received no response. Al Jazeera verified the claim by replicating the exploit, accessing data from applicants in countries including Somalia, Portugal, Sweden, the United States and Switzerland within minutes.
To avoid aiding potential hackers, the outlet withheld technical details of the flaw, which remains unpatched. Any obtained data was promptly destroyed to protect privacy. Queries sent to the Somali government went unanswered.
Echoes of November breach
This latest lapse follows a confirmed cyberattack in November, when hackers compromised the e-visa system, leaking information on over 35,000 applicants. The United States embassy in Somalia issued an alert on 13 November 2025, warning that exposed data included names, photos, birth details, emails, marital status and addresses.
The United Kingdom echoed the advisory, highlighting risks to tens of thousands. Somalia Immigration and Citizenship Agency (ICA) responded by migrating the site to a new domain and launching an inquiry, vowing to treat the matter with special importance on 16 November 2025.
Defence Minister Ahmed Moalim Fiqi had praised the system days earlier, crediting it with blocking ISIL fighters amid ongoing conflicts in northern regions.
Experts warn of systemic risks
Digital rights advocates have criticised the rushed rollout of such platforms. “Breaches like this endanger people through identity theft and malicious intelligence gathering,” said Bridget Andere, a senior policy analyst at Access Now, in comments to Al Jazeera.
Andere noted that Somalia data protection laws require notifying authorities and affected individuals in high-risk cases, especially involving multiple nationalities and jurisdictions. She decried the lack of public notice about the November incident and urged stronger safeguards.
“Governments often prioritise deployment over security, eroding trust and creating avoidable vulnerabilities,” Andere added. “It is tough for individuals to shield themselves when the data is mandatory for visas.”
Broader implications for digital governance
The repeated issues underscore challenges in Somalia push for modernisation amid instability. The e-visa system, intended to streamline entry and enhance security, has instead become a liability.
Biometric and digital ID experts point to similar problems in emerging systems elsewhere, where haste leads to leaks. As investigations continue, calls grow for international assistance to bolster cybersecurity in fragile states.
With no fixes in sight, applicants are advised to monitor for fraud, though experts stress the onus lies on authorities to secure platforms handling global data.
