Somalia e-visa data breach highlights oversight gaps in Digital Public Goods

Somalia’s e-visa data breach has spiraled from a technical failure into a national test of digital governance, exposing at least 35,000 applicant records and prompting warnings from the United Kingdom and the United States. Launched Sept. 1, 2025, as a flagship Digital Public Good meant to secure borders and modernize services, the platform instead revealed how fragile the country’s digital public infrastructure remains without guardrails, oversight and trust.

At stake is more than cybersecurity. The incident has triggered political rifts, spooked travelers and raised urgent questions about who builds and audits government platforms that handle sensitive identity data. As Somalia accelerates digital ID programs and online services, the e-visa breach offers a case study in how weak institutions can turn promising tools into systemic risks.

For travelers like Hamdi Mohamed, the fallout is personal. She applied in September, uploading her passport scan and details to the official portal. “It looked modern,” she said. “I thought Somalia was finally catching up digitally.” Weeks later, she learned the system had been compromised and that her information could be among those exposed. “I don’t know who has my passport information now,” she said. After seeing images of other travelers’ documents on social media, she added, “That fear doesn’t go away.”

How a border safeguard became a vulnerability

Authorities have acknowledged that attackers accessed a large database of applicants’ personal information and that the breach went undetected for a significant period. The government formed a task force and said prosecutions could follow, but key questions remain unanswered: who designed the system, how it was vetted, which safeguards failed and why the exposure persisted.

Cybersecurity expert Bashir Dhore, a CISSP-certified practitioner who advised authorities after the incident, called it a governance breakdown more than a sophisticated hack. “This was not just a technical failure; it was a governance failure,” he said. In a written assessment, he cited “weak access control management, failure of vendor oversight, inadequate monitoring, no incident escalation mechanism, [and] absence of internal accountability.”

Dhore said his analysis pointed to a preventable server misconfiguration. “It wasn’t an attack in the conventional sense,” he said. “The server was misconfigured, making visa applicants’ data publicly accessible, a door left wide open despite warnings issued weeks earlier.” He added that the slow response and limited in-house expertise suggested the platform was not being managed by qualified staff.

Silence, switches and a trust deficit

Officials have not publicly explained why the visa service quietly shifted from evisa.gov.so to etas.gov.so amid the crisis. “Somalia isn’t high-tech, and hacking itself isn’t the main issue,” said Mohamed Ibrahim, a former telecommunications minister and technology expert. “But authorities should have been upfront with the public. Why was the website’s URL changed? That hasn’t been explained.” Attempts to reach immigration officials for comment were unsuccessful.

Travel behavior has fractured. “People are scared and keep asking us whether the e-visa system is really working,” said a Nairobi-based travel agent who requested anonymity due to security concerns. Others insist the portal still functions. “People are still obtaining visas through the government’s online portal, just as before, and there are no issues,” said travel and cargo agency official Abdukadir Osman Noor.

For diaspora Somalis, the breach validates long-standing worries about surveillance and misuse of personal information. “This confirms what many of us suspected,” said Abdikhadir Ahmed, a Somali living abroad. “Digital services without rules can be more dangerous than paper systems.” He doubts there will be consequences, noting previous investigations that ended without concrete punishment. Another Somali abroad said the timing — a breach within weeks of launch — “dropped trust immediately” and heightened fears of identity theft as borders digitize.

Law on paper, gaps in practice

Somalia’s Data Protection Act, enacted in March 2023, is the country’s first comprehensive privacy law. But experts say it offers limited vendor oversight and does not clearly require independent security audits for public systems. The country remains among Africa’s lowest in cybersecurity capacity, despite policy progress and a growing cadre of trained graduates. “If you collect sensitive data without legal safeguards, clear accountability and audits, breaches become inevitable,” Dhore said.

Political blowback and international warnings

The breach has aggravated federal tensions. Puntland State and North Western State of Somalia publicly rejected the federal e-visa, citing security concerns. “No one holding Somalia’s e-visa will be allowed to enter North Western State of Somalia or land at its airports,” North Western State of Somalia President Abdirahman Irro said. Puntland State, alleging constitutional overreach and security flaws, insists travelers pay entry fees directly at its airports — a stance that creates dual charges and deepens friction with Mogadishu.

“This incident has damaged Somalia’s image abroad,” said Professor Shafi’i Yusuf Omar, head of research at the Brilliance Center for Security and Good Governance. “At home, it deepens skepticism toward federal institutions.”

On Nov. 14, the U.K. Embassy warned travelers that “this data breach is ongoing and could expose any personal data you enter into the system,” urging applicants to weigh the risk. The U.S. Embassy said it was “unable to confirm whether an individual’s data is part of the breach” and advised anyone who applied for a Somali e-visa to assume they may be affected.

Regionally, a different playbook

Neighboring countries treat e-visa portals as core public infrastructure, built on explicit rules and oversight. Kenya’s e-visa operates under its Data Protection Act (2019), with security-by-design expectations and standard transparency when incidents occur. Uganda follows a similar approach under its 2019 data protection law, emphasizing centralized supervision and risk management. These models do not prevent failure, but they do constrain damage and preserve trust through public disclosure and accountability.

What Somalia must do next

• Commission an independent, public forensic audit of the e-visa platform and its vendors, including a detailed postmortem.
• Notify all affected applicants, offer remediation guidance and establish a dedicated helpline for identity protection concerns.
• Freeze feature expansion on high-risk systems until baseline controls — encryption, access management, logging and incident response — are verified by independent assessors.
• Operationalize an empowered, independent data protection authority with resources to enforce the 2023 law.
• Institute vendor accountability: clear security obligations, audit rights, penalties for noncompliance and mandatory breach disclosure timelines.
• Adopt continuous security testing — penetration tests, red teaming and a vulnerability disclosure or bug bounty program.
• Invest in talent: recruit and retain qualified cybersecurity engineers, and require role-specific training for public officials managing digital systems.
• Publish a transparent roadmap aligning digital public goods with enforceable governance, and harmonize federal and state procedures to avoid duplicative fees and confusion.

The e-visa debacle unfolds as Somalia rolls out broader digital public infrastructure, from the HUBIYE verification platform and the e-Aqoonsi digital ID app to a Certificate Delivery System for public services. Millions of Somalis are expected to rely on these systems. Building them before institutions mature is a bet the country can no longer afford to make without safeguards.

For those caught in the breach, the question is more immediate. “Will anyone be held responsible?” Mohamed asked. Until Somalia can answer that, its digital border remains open not just to travelers, but to doubt.

By Ali Musa
Axadle Times international–Monitoring.