The U.S. issues a global security alert after a massive Somalia e-visa data breach exposing 35,000+ applicants, raising cyber, travel, and national-security concerns.
NAIROBI — The United States has issued the first formal international security alert over a massive data breach in Somalia’s new electronic visa (e-visa) system, warning that the personal information of at least 35,000 visa applicants—including thousands of American citizens—may have been exposed after hackers penetrated the platform.
The advisory, released by the U.S. Embassy in Somalia on Nov. 11, cites “credible allegations” that unidentified actors accessed and downloaded sensitive visa records. The breach, first revealed by The Saxafi Media on Nov. 11, included highly personal details: full legal names, passport photos, dates and places of birth, marital status, home addresses, and email contacts.
U.S. officials said the scope of the leak remains unclear but urged all individuals who applied for Somali e-visas to “assume their data may have been compromised.”
“Individuals who applied for a Somali e-visa may be affected,” the embassy said in its emergency notice, adding that the breach presents heightened risks in one of the world’s most volatile security environments.
The incident deepens concerns over Somalia’s digital governance infrastructure and comes as the U.S. State Department renewed its Level 4: Do Not Travel advisory for Somalia—citing terrorism, civil unrest, kidnapping, piracy, and what officials described as “unreliable” visa systems vulnerable to fraud and identity theft.
A System Left Exposed
According to The Saxafi Media’s investigation, the breach resulted from a basic but catastrophic flaw: all application files stored on the Somali e-visa portal were accessible simply by altering sequential numbers in the website’s URL.
No login. No authentication. No security barriers.
A Somali-American cybersecurity specialist discovered the vulnerability in October and alerted journalists when no corrective action was taken.
The news outlet reviewed, downloaded, and authenticated samples of leaked records, confirming that submissions from diplomats, aid workers, foreign journalists, and even UN personnel were exposed for weeks.
On Nov. 10—three days after the report went public—the Somali Immigration and Citizenship Agency (ICA) quietly took its original portal (evisa.gov.so) offline and migrated to a new website (etas.gov.so). No public disclosure or applicant notification accompanied the transition.
U.S. Raises Alarm Over e-Visa Reliability
In its updated Nov. 11 advisory, the U.S. government warned American citizens not only about the breach but also about Somalia’s broader inability to ensure visa authenticity and travel safety.
“Do not travel to Somalia due to crime, terrorism, civil unrest, unreliable eVisa systems, kidnapping, piracy, and lack of available consular services,” the U.S. State Department said.
The advisory cited:
- Widespread violent crime and car bombings
- Kidnappings and assassinations targeting foreigners
- Active attacks by al-Shabaab
- Severe limitations on U.S. consular assistance
- High maritime piracy risk along the coast
U.S. government personnel remain prohibited from traveling beyond the Mogadishu International Airport compound, reflecting insecurity even within the capital.
Medical care, the notice added, is “inadequate or nonexistent” in much of the country, with a lack of reliable hospitals and shortages of essential medication.
The Federal Aviation Administration (FAA) continues to enforce restrictions on U.S. civilian flights in or near Somali airspace due to extremist threats.
Embassy Details Risks, Offers Guidance
In a separate press statement, the U.S. Embassy Somalia urged Americans affected by the breach to review federal resources on identity theft and cybersecurity.
“Leaked data may include names, photos, places of birth, email addresses, marital status, and home addresses,” the embassy warned.
“We cannot confirm whether an individual’s data is part of the breach, but applicants should take precautions.”
The embassy referred individuals to Federal Trade Commission tools and directed affected travelers to contact U.S. consular services in Nairobi or Washington.
UK Warns: Somalia’s e-Visa ‘Not Valid’ for Somaliland
Amid the fallout, the United Kingdom issued a separate advisory clarifying that Somali visas—including electronic authorizations—are not valid for travel to Somaliland, which operates its own immigration and border-control system.
The UK Foreign, Commonwealth and Development Office instructed British nationals to obtain visas directly from Somaliland authorities on arrival at Hargeisa Egal International Airport.
“Somalia’s e-Visa system does not apply to Somaliland,” the guidance states.
“Travelers should verify entry requirements with Somaliland officials.”
The clarification is seen in Hargeisa as further acknowledgment of Somaliland’s de facto independence—especially as the two governments escalate disputes over airspace management, border control, and digital systems.
Patchwork Systems, Real-World Consequences
The fallout underscores a deeper structural reality: Somalia and Somaliland now operate parallel, conflicting border and visa regimes, leaving travelers caught between two administrations with no shared digital infrastructure or verification framework.
Security analysts warn that the breach could have long-term implications.
“In regions with active terror networks, leaking passport data is not just a privacy violation—it’s a national security threat,” said Nairobi-based cybersecurity expert Jamal Hussein.
“This could enable impersonation, extortion, or targeting of high-risk individuals.”
Aid agencies, UN personnel, and foreign missions are now assessing possible exposure of staff records.
A Breach With Geopolitical Stakes
The timing of the breach comes during heightened regional tension:
- Somaliland is asserting full control over its airspace and enforcing overflight rules.
- Somalia is seeking stronger central authority over national borders.
- International airlines are adjusting operations amid competing directives.
Western governments, meanwhile, are increasingly wary of Somalia’s capacity to handle sensitive digital systems.
“If a government cannot secure its visa portal, it raises broader questions about cyber governance,” said a senior Western diplomat who spoke on condition of anonymity.
A Crisis Still Unfolding
Somalia’s ICA has yet to issue a formal public statement acknowledging the breach, disclose how many individuals were affected, or outline steps taken to secure its systems. The agency did not respond to multiple requests for comment from regional media.
Digital forensics experts say the full extent of the exposure may not be known for months.
For now, the United States is urging citizens to avoid Somalia entirely—and for those already in the country, to enroll in the Smart Traveler Enrollment Program (STEP) and prepare contingency plans should conditions deteriorate.
The U.S. advisory concludes with an unusually blunt warning:
“Do not travel to Somalia.”
