Somali-Americans and U.S.citizens are preparing a class-action lawsuit against Somalia for a massive E-Visa data breach that exposed 35,000 applicants’ data. The leak triggered a mass exodus of foreign intelligence personnel and could lead to millions in damages, marking a major international legal challenge over cybersecurity negligence.
WASHINGTON/MOGADISHU – A massive data breach of Somalia’s E-Visa system has sparked a transatlantic legal firestorm, with Somali-Americans and other U.S. citizens preparing a class-action lawsuit against the Federal Government of Somalia for alleged negligence in failing to protect highly sensitive passport, photo, and biometric data.
The breach, which occurred on November 11 and exposed the personal information of over 35,000 visa applicants, including at least 2,298 American citizens, has also triggered a rapid exodus of more than 60 foreign intelligence and security specialists from Somalia over the past 24 hours, according to sources familiar with the matter who spoke to local outlet Baidoa Online. The specialists fled over fears that their compromised data made them immediate “political targets” in a region rife with militant groups.
“The Somali government had a fundamental duty to protect this incredibly sensitive information, and they failed catastrophically,” said [Lawyer’s Name], a U.S.-based attorney involved in preparing the lawsuit, in an interview. “This isn’t just a privacy violation; it’s a direct threat to the safety of thousands, including U.S. security personnel. We are talking about a foreseeable harm for which the government must be held accountable, with potential compensation in the millions of dollars.”
The lawsuit, if filed, would represent one of the most significant international legal challenges Somalia has ever faced over cybersecurity failures. It is being framed around claims of negligence, unlawful data processing, and breach of fiduciary duty.
The crisis has paralyzed Somalia’s immigration protocols. Multiple foreign embassies, including the U.S. Embassy in Mogadishu, have suspended use of the government’s E-Visa system, and several airlines have independently stopped requiring the e-visas for travel to Somalia, citing security and data integrity concerns.
According to a Saxafi Media investigation cited in the legal preparations, the compromised data was stored on an unsecured shared server in Florida, operated by a Michigan-based company, leaving it vulnerable to state-sponsored and criminal threat actors. The leaked records include passport photos, dates and places of birth, email and home addresses, and detailed travel histories.
The U.S. Embassy, in a press release, confirmed the breach included “visa applicants’ names, photos, dates and places of birth, email addresses, marital status, and home addresses,” but could not confirm individual exposure.
The fallout extends beyond individual privacy. Security analysts fear the data has effectively created a “targeting list” for the al-Shabaab militant group, which remains a potent insurgent force in the country. The breach has also exposed a clandestine network of foreign fighters, with investigators finding dozens of Colombian nationals of military age in the database who entered Somalia on short-term visas before traveling onward to Sudan, raising international concerns about the movement of alleged mercenaries.
Somalia’s Interior Minister, Ahmed Mo Fiqi, has vehemently denied any government wrongdoing or involvement in foreign military transfers. In a televised statement, he dismissed the allegations as “baseless fabrications from enemies of Somalia’s progress,” and characterized the incident as a “criminal cyberattack designed to discredit our institutions.”
However, inside Somali government institutions, officials described an atmosphere of disorganization and rising tension, with staff reportedly under pressure to accept responsibility for the fiasco.
For the plaintiffs, the case is expected to leverage the extraterritorial reach of regulations like the EU’s General Data Protection Regulation (GDPR), which allows for substantial penalties and the right to seek compensation for damages.
“The defendants in this case are clear: the Somali government as the data controller, the airlines that relied on this flawed system, and the U.S. tech firm that hosted the data on a vulnerable server,” the plaintiffs’ attorney added. “We are consolidating all victims to pursue accountability, financial redress, and to ensure such a profound security failure never happens again.”
