Somalia’s electronic visa website contains critical security flaws, exposing passport data and personal details of thousands, Al Jazeera investigation reveals.
Somalia’s electronic visa system, a cornerstone of the government’s push to modernize border controls and screen travelers, contains serious security flaws that could allow malicious actors to access thousands of visa applications, exposing passport data and other sensitive personal information, according to an investigation by Al Jazeera.
The vulnerabilities, which cybersecurity experts say pose significant risks of identity theft and fraud, were confirmed this week after a source with a background in web development alerted journalists to weaknesses in the platform’s security architecture. The source provided evidence showing that the data — including applicants’ full names, passport details and dates of birth — could be accessed and downloaded without proper authorization.
The source said they had raised the issue with Somali authorities last week but received no response, and that the vulnerability remained unaddressed.
“Breaches involving sensitive personal data are particularly dangerous,” said Bridget Andere, a senior policy analyst at the digital rights organization Access Now. “They put people at risk of various harms, including identity theft, fraud and intelligence gathering by malicious actors.”
The newly identified flaw comes just weeks after Somali officials said they had launched an inquiry into a previous breach of the country’s e-visa system, in which hackers accessed the personal information of tens of thousands of applicants. Despite that investigation, Al Jazeera reporters said they were able to independently replicate the more recent vulnerability.
In a short period of time, journalists were able to download electronic visa documents belonging to dozens of individuals, including applicants from Somalia, Portugal, Sweden, the United States and Switzerland. The documents contained detailed personal information typically protected under international data-privacy standards.
Al Jazeera said it alerted the Somali government to the flaw and sent a list of questions seeking comment, but received no response.
Andere said the episode reflects a broader pattern in which governments rush to deploy digital infrastructure without adequately addressing security and privacy risks.
“The government’s push to deploy the e-visa system despite being clearly unprepared for potential risks, then redeploying it after a serious data breach, is a clear example of how disregard for people’s concerns and rights when introducing digital infrastructures can erode public trust and create avoidable vulnerabilities,” she said.
She also criticized Somali authorities for failing to publicly acknowledge the earlier breach in November.
“It’s alarming that the authorities have not issued any formal notice about this serious data breach,” Andere said. “In such situations, Somalia’s data protection law mandates data controllers to notify the data protection authority, and in high-risk contexts like this one, to also notify the individuals affected.”
Because the vulnerability has not yet been fixed, Al Jazeera said it could not publish technical details of the flaw, warning that doing so could enable hackers to replicate the breach. The outlet said all sensitive information obtained during its reporting had been destroyed to protect those affected.
The latest disclosure follows a major incident last month, when the United States and the United Kingdom issued warnings to their citizens about a breach involving Somalia’s e-visa platform. According to the U.S. Embassy in Somalia, the leaked data in that case included the names, photographs, dates and places of birth, email addresses, marital status and home addresses of more than 35,000 visa applicants.
In response, Somalia’s Immigration and Citizenship Agency moved the e-visa system to a new internet domain and said it was treating the matter with “special importance.” On November 16, the agency announced it had opened an investigation into the breach.
Days earlier, Somalia’s defense minister, Ahmed Moalim Fiqi, had publicly praised the e-visa system, saying it had helped prevent fighters affiliated with the Islamic State group from entering the country as government forces battled militants in northern regions.
But digital rights advocates say such security claims do not offset the risks posed by poorly secured systems.
“Governments often rush to implement e-visa systems, which frequently leads to insecure situations,” Andere said. “Data protection and cybersecurity considerations are often the first to be disregarded. It is difficult to shift the burden to people because the data they provide is required for a particular process.”
For visa applicants, she added, there is often little recourse once their personal information has been exposed — especially when breaches span multiple countries and legal jurisdictions.
