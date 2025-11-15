The article, “SOMALIA’S E-VISA SCAM: Leaked Report Confirms $288k in Overcharges—U.S. Embassy In Somalia Now Warns of Breach,” reports a catastrophic breach of Somalia’s e-visa system, revealing personal data of at least 35,000 applicants (including 2,298 U.S. citizens) and exposing critical security flaws that enabled massive financial fraud totaling approximately $287,808 in duplicate charges across 1,519 transactions.

It claims the payment system lacked verification and fraud monitoring, operated under terms forbidding refunds or chargebacks, and was hosted on a US-based shared server in Florida, raising cross-border legal and security concerns.

The piece also critiques the response (or lack thereof) from Somalia’s government and Western allies, and calls into question the accountability mechanisms under US law and international governance.

Key Points

The U.S. Embassy confirmed a data breach of Somalia’s e-visa system affecting at least 35,000 people, including 2,298 Americans.

A confidential internal report alleges a sovereign Mogadishu system illegally overcharged 1,519 travelers a total of $287,808, with terms permanently forbidding refunds.

The e-visa platform processed 12,413 transactions totaling $794,432, with no Mastercard verification or fraud controls in place.

608 “rapid-fire” transactions suggest automated fraud or duplicate charges, bypassing standard payment monitoring.

Mastercard’s payment gateway was effectively bypassed, undermining Zero Liability protections and exposing questions about Mastercard’s due diligence.

The entire immigration database was hosted on a shared Florida server, placing sensitive data under US jurisdiction and contravening Somalia’s data protection stance.

The database passwords were publicly accessible, with visa records retrievable via simple URL manipulation, evidencing multiple critical vulnerabilities.

Western allies largely silent publicly; the U.K., EU, Netherlands, Sweden, Norway, Canada, and Australia offered little or no public warning.

The news article questions what actions the US might take under the CLOUD Act and Executive Order 14117 to seize data or pursue restitution.

A new platform (etas.gov.so) replaced the original evisa.gov.so, reportedly with similar structural flaws and no acknowledgment of the breach.

Key Concepts Analysis

E-Visa Data Breach : A security incident where Somalia’s electronic visa system exposed personal data of at least 35,000 individuals, including 2,298 U.S. citizens. The breach involved accessible passport details, photos, birth dates, contact information, and movement patterns, creating significant privacy and security risks. The confidential internal report claims additional issues such as unverified payments and absence of fraud detection. The concept covers data exposure, potential terrorist-targeting risks, and cross-border implications of storing data on foreign infrastructure.

Duplicate Charges and Payment Fraud : Internal findings describe 287,808 induplicate charges across 1,519 customers, with instances of overcharging and lack of refunds due to contractual terms forbidding refunds or chargebacks. A total of 12,413 transactions totaling 287,808 induplicate charges across 1,519 customers, with instances of overcharging and lack of refunds due to contractual terms forbidding refunds or chargebacks. A total of 12,413 transactions totaling 794,432 were processed without proper payment verification with Mastercard. This concept encompasses fraudulent billing patterns, absence of fraud controls, and constraints that prevent victims from recovering funds.

Mastercard Gateway Issues : The report attributes fraudulent charges to the Mastercard Payment Gateway Services (MPGS) used by Somalia’s e-visa system, highlighting failures to detect fraud, monitor chargebacks, or enforce standard protections such as Zero Liability. This concept involves payment industry responsibilities, merchant risk management, and how contractual terms and processing rules interact with consumer protections.

Rapid-Fire Transactions : Identification of 608 suspicious rapid transactions that indicate automated or system-generated duplicates. The lack of verification and fraud monitoring allowed these rapid-fire charges to go unchecked, signaling high operational risk within the payment process.

Sovereign System on Shared Florida Server : Somalia’s immigration database was hosted on a US-based shared hosting environment (Liquid Web in Tampa, Florida), raising concerns about cross-border data protection, jurisdiction, and the exposure of highly sensitive records to U.S. legal oversight. This concept ties data sovereignty to security vulnerabilities and governance failures.

Vulnerabilities and Critical Flaws : The internal assessment lists five critical vulnerabilities: publicly accessible system files, unrestricted file uploads enabling code execution, missing access controls on visa records, payment system weaknesses leading to duplicate charges, and weak administrator authentication. Each contributes to systemic risk and potential for exploitation.

Data Exposure Scale and Contents : The breach involved 125,000+ visa applications, 34,000+ passport records, 27,000+ email addresses, 123,000+ phone numbers, 20,000+ biometric photos, and 12,400+ payment transactions. This concept emphasizes the breadth and sensitivity of the exposed data, including biometric material and travel histories.

Official Acknowledgment and Policy Gaps : The U.S. Embassy issued a security alert acknowledging the breach but highlighted limited recourse for affected individuals within Somalia’s framework. Questions are raised about accountability, jurisdiction, and possible legal actions under U.S. law (e.g., CLOUD Act, Executive Order 14117) given that data is stored on American infrastructure.

International and Western Response : The article notes a lack of public warnings from several Western countries (UK, EU, Netherlands, Sweden, Norway, Canada, and Australia) despite substantial exposure of their citizens’ data, pointing to delays or inconsistencies in multinational responses to such breaches.

Policy and Accountability Questions: The piece raises critical questions about who bears responsibility for the fraud, whether the U.S. can seize servers or pursue restitution under U.S. law, and how to ensure accountability and protection for affected individuals, including potential government and private-sector liability.

Summary

The article centers on a comprehensive security failure within Somalia’s e-visa system, highlighting data breaches affecting tens of thousands of records, widespread financial fraud via duplicate charges, and systemic governance shortcomings.

Key concepts include data breach exposure, fraudulent payment processing, Mastercard gateway failures, rapid-fire transaction detection gaps, cross-border hosting and data sovereignty issues, critical system vulnerabilities, and the broader policy implications for accountability and international responses.

Together, these concepts illustrate how insecure infrastructure, weak financial controls, and governance gaps can produce large-scale privacy, security, and financial risks for individuals and international partners.

The complete piece from Somaliland Chronicle, is as follows:

SOMALIA’S E-VISA SCAM: Leaked Report Confirms $288k in Overcharges—U.S. Embassy In Somalia Now Warns of Breach

confirms U.S. governmentthe data breach: 2,298 American citizens among 35,000 compromised, endangering U.S. lives. Confidential report reveals Mogadishu built a payment system designed to steal, with contractual terms forbidding refunds.

The United States Embassy in Somalia has officially confirmed Somalia’s e-visa system suffered a catastrophic breach exposing the personal data of at least 35,000 people, including 2,298 U.S. citizens whose passport details, photos, and travel patterns are now accessible to anyone with an internet connection—including al-Shabaab.

In a November 13 security alert, the U.S. Embassy warned American citizens that “multiple sources reported credible allegations that unidentified hackers penetrated Somalia’s e-visa system potentially exposing the personal data of at least 35,000 people, including possibly thousands of U.S. citizens.” The leaked data includes visa applicants’ names, photos, dates and places of birth, email addresses, marital status, and home addresses.

A confidential security report obtained by Somaliland Chronicle reveals the breach goes far beyond data exposure. The internal report, classified “CONFIDENTIAL – GOVERNMENT ONLY” and dated October 2025, documents how Mogadishu fraudulently overcharged travelers $287,808 while its public-facing terms of service contractually forbid victims from claiming refunds or initiating chargebacks.

The breach exposed 125,000+ visa applications, sensitive banking information, system-level administrator passwords, and 12,413 payment transactions totaling $794,432. The report’s findings, combined with Somalia’s official e-visa website terms, reveal a payment system designed for theft.

2,298 Americans on a Terrorist Kill List

As Chronicle reported on November 11, the breach created a terrorist targeting database. Complete travel records—passport details, photos, email addresses, and movement patterns—of 35,000 international travelers were fully accessible to anyone on the internet for weeks. Among them: 2,298 American citizens.

The breakdown of exposed nationalities reads like a directory of Western targets in a country where al-Shabaab has spent two decades killing foreigners. Kenya leads with 13,325 passport records exposed, followed by the United Kingdom with 3,027, and the United States with 2,298. The Netherlands accounts for 2,040 exposed records, Colombia 1,686, Sweden 1,679, Norway 1,058, and Canada 972. India, Finland, Ethiopia, Uganda, Pakistan, Denmark, Turkey, and Belgium each lost hundreds to thousands of passport records to the breach.

The confidential report warns that “these individuals’ travel patterns, passport details, photos, and contact information were fully accessible. This creates significant operational security risks for international personnel working in Somalia.”

SOMALIA E-VISA EXECUTIVE REPORT Download

How many of the 2,298 compromised Americans were traveling on official business remains unknown. The U.S. Embassy’s November 13 alert acknowledges it is “unable to confirm whether an individual’s data is part of the breach” but advises all e-visa applicants to assume they are compromised. The Somali government has yet to issue a public statement or notify victims.

The Payment Fraud: $288k Stolen, Zero Recourse

The internal report confirms the payment system levied $287,808 in duplicate charges against 1,519 customers, with some paying $256 for a $64 visa. Customers paid once. The system charged them again. And again. And again. Some were billed four times for a single visa. No verification. No fraud detection. No refunds.

The official “Terms & Conditions” on the evisa.gov.so portal ensure this fraud is permanent. The terms state: “…the application fee paid by the applicant is non-refundable under any circumstances.” Furthermore, the government explicitly blocks victims from asking their banks for help: “Payments made by credit, debit, or prepaid cards… cannot be reversed or recovered through chargeback procedures.”

The report reveals the system processed 12,413 transactions totaling $794,432—all without once verifying payments with Mastercard. The system didn’t check if transactions succeeded. The report notes: “System doesn’t verify with Mastercard.” Mogadishu built a billing system that doesn’t confirm whether it already took your money.

How many of those 1,519 victims were Americans? How many of the 2,298 exposed U.S. passport holders were among those fraudulently overcharged? The report doesn’t say. The Somali government hasn’t investigated. The U.S. Embassy’s security alert makes no mention of the financial theft—only the data exposure.

608 ‘Rapid-Fire’ Transactions: The Smoking Gun

The report identifies 608 suspicious “rapid-fire” transactions—payments processed in such rapid succession that they could only have been system-generated duplicates or automated fraud. Yet the system had no payment verification, no fraud detection monitoring, and no rate limiting to prevent rapid duplicate charges. The report categorizes the financial risk as “HIGH” and notes the system lacked “monitoring for suspicious transactions.”

The pattern repeats: payment IDs charged three to four times instead of once, customers paying $192-$256 instead of the standard $64 fee, and zero verification that transactions were legitimate government visa payments. The payment processor—Mastercard Payment Gateway Services—was effectively bypassed. Transactions weren’t categorized as official government visa fees but processed as generic service charges, stripping away consumer protections and making chargebacks contractually impossible.

Mastercard’s $288k Problem

The confidential report identifies the payment processor as “Mastercard Payment Gateway Services (MPGS)”—the same Mastercard that advertises “Zero Liability Protection” for cardholders and operates extensive fraud monitoring programs for merchants. Yet Mogadishu’s e-visa system processed $287,808 in fraudulent duplicate charges under Mastercard’s watch, with 608 suspicious “rapid-fire” transactions that should have triggered fraud alerts.

Mastercard’s own merchant rules require payment processors to monitor for excessive chargebacks and fraudulent transaction patterns. The company operates an “Excessive Fraud Merchant” program that places merchants into monitoring if they process more than $50,000 in fraud chargebacks. Somalia’s e-visa system exceeded that threshold nearly sixfold in duplicate charges alone.

Under standard card network rules, merchants bear liability for “card-not-present” transactions—the kind processed through the e-visa portal. When fraud occurs, the merchant is responsible for refunds, and their acquiring bank can impose fees, raise rates, or shut down accounts. But Somalia’s Terms & Conditions explicitly forbid refunds and chargebacks, creating a contractual trap that undermines card network consumer protections.

Did Mastercard conduct due diligence before allowing a foreign government with no functional financial oversight to process hundreds of thousands of dollars through its network? Did it review Somalia’s “no refund, no chargeback” terms? Did it notice when the same payment IDs were charged three and four times in rapid succession?

Mastercard’s “Zero Liability Protection” promises cardholders won’t be held responsible for unauthorized transactions. But the protection becomes meaningless when the payment processor enables a merchant to contractually block the dispute process. The 1,519 victims can’t invoke Zero Liability Protection because Somalia’s terms preemptively forbid the chargeback mechanism.

Mastercard has settled merchant fraud liability disputes before—most recently for $199.5 million in 2024 over improper liability shifts to merchants. The company now faces questions about whether it bears responsibility for facilitating fraud by a government merchant that openly advertised its refusal to honor basic consumer protections. Every one of those $287,808 in fraudulent charges generated processing fees for Mastercard.

A “Sovereign” System on a Shared Florida Server

The report confirms Somalia’s entire sovereign immigration database is not located in Somalia. Mogadishu hosts it on a shared cPanel server physically located in Tampa, Florida, operated by Liquid Web, L.L.C., based in Lansing, Michigan. The hosting environment is shared, meaning multiple unrelated websites occupy the same physical server.

By choosing US-based shared hosting, the Somali government has violated its own Data Protection Act, which governs cross-border transfer of citizens’ data. Somalia’s most sensitive immigration records—including those 2,298 American passport holders—are now subject to U.S. legal jurisdiction. A review of the e-visa portal finds no Privacy Policy. American travelers, UN officials, and UK diplomats who used the system were never informed that their data—including passport scans, biometric photos, and travel itineraries—would be stored, unsecured, on a shared server in Tampa.

Total System Compromise: Passwords Published Online

The report confirms the system’s database passwords were “publicly accessible to anyone on the internet” and that visa records could be accessed by “simply changing numbers in the web address”—no login, no authentication, no security. The system used sequential numbering for visa applications, meaning anyone could access the entire database by incrementing a single digit in a URL.

The report identifies five critical vulnerabilities: system files publicly accessible, unrestricted file upload allowing malicious code execution, missing access controls on visa records, payment system vulnerabilities resulting in $287,808 in duplicate charges, and weak authentication on administrative accounts. Each vulnerability is rated “CRITICAL” except the last, which merits “HIGH.” The system had 73 database tables fully exposed, containing 125,000+ visa applications, 34,000+ passport records, 27,000+ email addresses, 123,000+ phone numbers, 20,000+ biometric photos, and 12,400+ payment transactions.

This digital collapse mirrors a physical one. Staff at Mogadishu’s Aden Adde International Airport remain in full work stoppage over unpaid wages and maltreatment by the Turkish firm Favori LLC. The government that cannot pay its airport workers operates an international fraud scheme that has drawn an official warning from the United States government.

Washington Confirms the Breach—But What Can It Do?

The November 13, 2025 U.S. Embassy security alert marks the first official acknowledgment by a Western government of the breach. The alert states: “On November 11, 2025, multiple sources reported credible allegations that unidentified hackers penetrated Somalia’s e-visa system potentially exposing the personal data of at least 35,000 people, including possibly thousands of U.S. citizens.”

The embassy advises American citizens who applied for Somali e-visas to assume their data has been compromised, monitor announcements from the Somali Immigration and Citizenship Agency, and consult Federal Trade Commission resources on data breaches. But the alert is silent on what legal action the United States can take against a foreign government operating a fraudulent data operation on American soil.

Under the CLOUD Act of 2018, U.S. law enforcement has explicit authority to compel U.S.-based technology companies to provide data in their “possession, custody, or control” regardless of where that data is stored. While Somalia is the nominal controller of the e-visa data, the physical servers are operated by Liquid Web, L.L.C., a U.S. company subject to U.S. jurisdiction. The FBI could, in theory, seize the servers, secure the data, and conduct a criminal investigation into the fraud without Somalia’s consent.

Moreover, Executive Order 14117, signed by President Biden in February 2024, explicitly addresses the threat posed when foreign governments store Americans’ “bulk sensitive personal data” on U.S. infrastructure. The order finds that such arrangements pose “an unusual and extraordinary threat” to national security. While Somalia is not currently designated as a “country of concern” under the order, the exposed data of 2,298 Americans—including potential government personnel—and the demonstrable security failures could trigger Department of Justice review.

The State Department’s Level 4 “Do Not Travel” advisory for Somalia remains in effect due to crime, terrorism, civil unrest, health issues, kidnapping, and piracy. Americans must now add to this list: state-sponsored data theft and financial fraud—hosted on American servers, subject to American law.

The Silence of Western Allies

The United States stands alone in its public acknowledgment of the breach. The United Kingdom, whose 3,027 citizens had their passport data exposed, has issued no public warning. The European Union, which provided technical assistance for Somalia’s digital migration, has remained publicly silent. The Netherlands, with 2,040 compromised passport holders, has said nothing. Sweden, with 1,679 exposed citizens, has offered no alert. Norway, Canada, Australia—all silent.

According to diplomatic sources cited by multiple outlets, embassies in Nairobi are “quietly advising” and “privately warning” citizens to presume their data is compromised. But quiet advice and private warnings do not protect aid workers in Mogadishu or diplomats traveling to Somalia. They do not notify the thousands of Europeans, Canadians, and Australians whose passport photos and travel itineraries are now accessible to al-Shabaab. They do not demand accountability for the $287,808 stolen through fraudulent duplicate charges.

The British Embassy in Mogadishu maintains no public advisory on the breach. The UK Foreign, Commonwealth & Development Office’s travel advice for Somalia warns of terrorism, kidnapping, and piracy but makes no mention of the exposure of British passport data. The EU, having funded Somalia’s digital transformation, has not informed European citizens that their investment produced a terrorist targeting database hosted on a shared server in Florida.

The Questions Washington Must Answer

How many of the 2,298 compromised Americans were traveling on official business? Were U.S. government personnel required to use this system? Has the State Department notified all 2,298 affected American citizens by name? Why was Somalia’s e-visa system certified for use by international travelers without basic security audits?

And critically: will the U.S. government use its legal authority over the Tampa-based servers to seize the data, investigate the fraud, and demand restitution for Americans who were overcharged? Or will it issue security alerts and move on?

Mogadishu quietly replaced the evisa.gov.so portal with a new platform, etas.gov.so, on November 10. The old system redirects users to the new site with no mention of the breach or data exposure. Early analysis suggests the replacement system shares concerning structural similarities with its predecessor. The Somali government has issued no official statement acknowledging the incident, detailing the scope of the compromise, or confirming whether affected individuals have been notified.

The Reckoning

Mogadishu has endangered 2,298 American lives, along with thousands more UN workers, British diplomats, and Western aid personnel, while simultaneously operating a “no-refund” scam to steal their money. The breach exposed 35,000 records from 145 countries. The fraud stole $287,808. The contractual terms ensure victims cannot recover a cent.

And it all happened on American soil, under American jurisdiction, using American infrastructure.

The fiction of a functioning Somali state has cost 35,000 people their security, their privacy, and their money—with official confirmation from Washington that 2,298 Americans are among the victims. The question remains: can the world afford to continue funding a regime that robs and exposes its own allies—including the United States—while operating its criminal enterprise from a server farm in Florida?