Mogadishu (Somalia Today) — Somalia’s newly relaunched electronic visa portal remains insecure and is allowing the mass download of sensitive personal data, weeks after officials claimed to have fixed a major breach in the system.
An Al Jazeera investigation revealed that a security flaw on the e-visa website enables the retrieval of thousands of applicants’ sensitive details—including passport numbers, full names, and dates of birth—despite government assurances of reform following a major hack last month.
Al Jazeera independently verified the vulnerability and notified Somali authorities, but received no response.
System wide open
The weakness was first flagged by a web developer who discovered that, by manipulating the site’s URL, it was possible to sequentially download visa documents without authentication.
The individual shared evidence of the exposed data and alerted Somalia’s Immigration and Citizenship Agency (ICA) last week, but received no acknowledgment.
Al Jazeera journalists later replicated the exploit, successfully harvesting dozens of visa documents containing the personal information of applicants from Somalia, Portugal, Sweden, the United States, and Switzerland.
The ability to retrieve such records in bulk points to a critical security failure, emerging just weeks after officials had pledged tighter safeguards.
Despite being alerted to the issue, Somali authorities neither issued a statement nor implemented a fix.
As of publication, the portal remains vulnerable. Al Jazeera declined to publish technical specifics, citing concerns that doing so could enable further exploitation while the flaw remains unresolved.
Expert warning
Cybersecurity experts have expressed alarm over the exposure.
“Breaches involving sensitive personal data are particularly dangerous as they put people at risk of various harms, including identity theft, fraud, and intelligence gathering by malicious actors,” said Bridget Andere, senior policy analyst at digital rights group Access Now.
Andere argued that Somalia’s decision to redeploy the platform following a breach—without adequate risk mitigation—demonstrates a troubling disregard for public trust. “This is how avoidable vulnerabilities are created,” she said.
Somalia’s 2023 Data Protection Act mandates that data controllers notify the Data Protection Authority within 72 hours of discovering a breach.
In high-risk scenarios, such as the current case, affected individuals must also be informed. To date, officials have issued no public statement addressing either this latest incident or the November breach.
November breach
This new lapse follows a significant data breach reported last month. On November 13, the U.S. Embassy in Mogadishu warned that hackers had accessed records of more than 35,000 visa applicants.
Leaked data included names, photographs, dates and places of birth, email addresses, marital status, and home addresses.
Following the disclosure, the ICA shifted the e-visa platform to a new domain and announced an internal investigation.
In a November 16 statement, the agency claimed it was treating the matter with “special importance” and had assembled a task force of national security and digital forensic experts.
The ICA also pledged to notify affected individuals and emphasized its commitment to data protection.
However, critics note that the agency failed to follow through. The ICA has not clarified how many people were impacted, nor has it published the promised findings. No individual notifications have been reported.
According to former telecommunications minister Mohamed Ibrahim, such opacity undermines digital governance. “They should have been upfront with the public,” he told Al Jazeera.
ICA under scrutiny
Somalia’s broader push to digitize public services, including its border and immigration systems, has sparked concerns over regulatory oversight.
The director-general of the ICA, Mustafa Sheikh Ali Duhulow, previously dismissed early reports of the November breach as “coordinated misinformation.”
Critics argue that such denials, made even as data circulated online, reflect institutional reluctance to confront cyber vulnerabilities.
The incident has drawn international attention. Somalia’s e-visa system serves thousands of foreign applicants annually.
The exposure of personal data belonging to citizens of multiple countries has prompted cybersecurity alerts from the U.S. and U.K. governments, and could strain diplomatic confidence in Somalia’s digital infrastructure.
Access Now’s Andere warned that extremist groups might attempt to exploit such leaks for intelligence gathering or recruitment. Analysts have described the breaches as among the most serious digital security failures in Somalia’s recent history.
As of this writing, the e-visa portal remains operational despite the confirmed flaw. It is unclear whether the Somali government will patch the vulnerability, notify affected individuals, or face legal repercussions under domestic data protection law.
The Somali Data Protection Authority—created to oversee compliance with the 2023 legislation—has yet to issue any public findings. Observers say the government must urgently secure its digital platforms and demonstrate accountability to restore public trust.
If it fails to do so, Somalia risks further exposure of sensitive data and growing international scrutiny.
