Somalia’s relaunched e-visa website contains a fresh security flaw that could let malicious actors download large numbers of e-visas containing passport numbers, full names and dates of birth, Al Jazeera confirmed this week after receiving a tip from a web developer.
The vulnerability, which Al Jazeera was able to replicate, allowed the downloading of e-visas for dozens of applicants in a short period, exposing sensitive data on people from Somalia, Portugal, Sweden, the United States and Switzerland. Al Jazeera alerted Somali authorities and sent detailed questions about the flaw but received no response.
- Advertisement -
The discovery comes one month after U.S. and U.K. officials warned about a separate breach of Somalia’s e-visa platform that exposed the personal information of more than 35,000 applicants. “Leaked data from the breach included visa applicants’ names, photos, dates and places of birth, email addresses, marital status, and home addresses,” the U.S. Embassy in Somalia said at the time.
A source with a background in web development told Al Jazeera they had informed Somali authorities of the new weakness last week, providing evidence and urging a fix, but said no corrective action was taken. Al Jazeera is withholding technical details of the flaw because it has not been remediated and could be exploited. Any sensitive data obtained for verification during reporting has been destroyed to protect affected individuals.
“Breaches involving sensitive personal data are particularly dangerous as they put people at risk of various harms, including identity theft, fraud, and intelligence gathering by malicious actors,” said Bridget Andere, senior policy analyst at digital rights group Access Now.
Andere criticized the government’s handling of the system, noting that officials redeployed the e-visa platform after last month’s breach without adequately addressing security risks. “The government’s push to deploy the e-visa system despite being clearly unprepared for potential risks, then redeploying it after a serious data breach, is a clear example of how disregard for people’s concerns and rights when introducing digital infrastructures can erode public trust and create avoidable vulnerabilities,” she said.
She added that authorities have yet to issue a formal public notice about the November breach. “In such situations, Somalia’s data protection law mandates data controllers to notify the data protection authority, and in high-risk contexts such as in this incident, to also notify the individuals affected,” Andere said. “Extra protections should apply in this case because it involves people of different nationalities and therefore multiple legal jurisdictions.”
After last month’s breach, Somalia’s Immigration and Citizenship Agency moved the e-visa service to a new domain and announced on Nov. 16 that it was treating the issue with “special importance,” launching an investigation. Earlier that week, Defense Minister Ahmed Moalim Fiqi praised the e-visa system, saying it helped prevent ISIL (ISIS) fighters from entering the country amid ongoing fighting in the north against a local affiliate of the group.
Access Now’s Andere said governments frequently rush to roll out e-visa platforms and similar digital public services without building in robust safeguards, creating conditions for repeated failures. “Data protection and cybersecurity considerations are often the first to be disregarded,” she said. “It is difficult to shift the burden to people because the data they gave is required for a particular process.”
The latest revelation raises new questions about the integrity of Somalia’s e-visa infrastructure and whether authorities can protect sensitive information that travelers must submit to enter the country. It also heightens the risk that stolen data could be used for identity theft or targeted surveillance across borders, given the international mix of applicants.
Somali officials did not respond to Al Jazeera’s requests for comment about the newly identified flaw, how many applicants may be affected, or when a fix would be implemented. As the government continues its investigation into the November breach, security experts say transparent disclosure, rapid remediation and independent testing are essential to restoring confidence in the system.
Until then, the episode underscores the stakes of cybersecurity lapses in public infrastructure: when critical services are deployed without adequate protections, the consequences reverberate far beyond code, touching privacy, safety and trust for thousands of people.
By Ali Musa
Axadle Times international–Monitoring.
