Somalia’s newly relaunched electronic visa portal contains a serious security flaw that could allow unauthorized parties to download large numbers of e-visas holding sensitive personal data, including passport information, full names and dates of birth, according to findings confirmed by Al Jazeera.
The vulnerability emerged a month after a separate breach of the country’s e-visa platform exposed tens of thousands of records and prompted warnings from the United States and United Kingdom. Al Jazeera reported that it verified the latest flaw this week after receiving a tip from a source with web development expertise who had alerted Somali authorities last week but received no response.
- Advertisement -
Al Jazeera said it was able to reproduce the issue and, in a short period, download e-visas with personal details belonging to applicants from Somalia, Portugal, Sweden, the United States and Switzerland. The outlet is withholding technical specifics until the weakness is fixed to prevent exploitation and said any sensitive data accessed during testing has been destroyed.
“Breaches involving sensitive personal data are particularly dangerous as they put people at risk of various harms, including identity theft, fraud, and intelligence gathering by malicious actors,” Bridget Andere, senior policy analyst at digital rights group Access Now, told Al Jazeera.
Somali officials did not respond to questions about the new flaw, Al Jazeera reported. Last month, after the earlier breach, the Immigration and Citizenship Agency (ICA) moved the e-visa site to a new domain in what it said was an effort to increase security. On Nov. 16, the ICA said it was treating the incident with “special importance” and had launched an investigation.
The U.S. Embassy in Somalia said the previous breach disclosed data on more than 35,000 visa applicants. “Leaked data from the breach included visa applicants’ names, photos, dates and places of birth, email addresses, marital status, and home addresses,” the embassy said at the time. The U.K. issued a similar warning.
Andere criticized the decision to press ahead with the system after one breach and redeploy it in the face of further risks. “The government’s push to deploy the e-visa system despite being clearly unprepared for potential risks, then redeploying it after a serious data breach, is a clear example of how disregard for people’s concerns and rights when introducing digital infrastructures can erode public trust and create avoidable vulnerabilities,” she said.
She added that Somali authorities have not issued a formal notice about November’s breach, despite obligations under the country’s data protection law. The law requires data controllers to notify the data protection authority, and in high-risk cases to inform affected individuals. “Extra protections should apply in this case because it involves people of different nationalities and therefore multiple legal jurisdictions,” Andere said.
Access Now warned that governments frequently rush to deploy e-visa platforms without adequate cybersecurity review, leaving applicants exposed. “Data protection and cybersecurity considerations are often the first to be disregarded,” Andere said. “It is difficult to shift the burden to people because the data they gave is required for a particular process.”
The e-visa rollout has been politically sensitive. Earlier in November, Defense Minister Ahmed Moalim Fiqi praised the system, saying it had helped block ISIL (ISIS) fighters from entering the country amid ongoing fighting in the north with a local affiliate of the group.
Al Jazeera said it has notified the Somali government about the latest vulnerability and sought comment. As of publication, no response had been received and the flaw had not been fixed.
By Ali Musa
Axadle Times international–Monitoring.
