Somalia’s recently launched electronic visa (e-visa) system has been found to contain serious security flaws, potentially putting the personal data of thousands of travelers at risk. Al Jazeera confirmed that the platform lacks adequate security protocols, allowing unauthorized actors to download sensitive e-visa information, including passport numbers, full names, and dates of birth.

Security Vulnerability Discovered

The vulnerability was identified following a tip from a source with web development expertise, who alerted Somali authorities last week. Despite repeated attempts to highlight the risk, no corrective action has reportedly been taken.

“Breaches involving sensitive personal data are particularly dangerous as they put people at risk of identity theft, fraud, and intelligence gathering by malicious actors,” said Bridget Andere, senior policy analyst at digital rights group Access Now.

Al Jazeera was able to replicate the flaw, successfully downloading e-visas containing sensitive information of individuals from Somalia, Portugal, Sweden, the United States, and Switzerland. The news outlet has destroyed all sensitive information obtained during the investigation to protect the privacy of those affected.

Previous Breach and Ongoing Concerns

This latest discovery comes only a month after a major e-visa breach that affected more than 35,000 applicants, prompting warnings from both the US and UK governments. Information leaked in that incident included:

• Names and photos
• Dates and places of birth
• Email addresses and marital status
• Home addresses

Following that breach, Somalia’s Immigration and Citizenship Agency (ICA) moved the e-visa website to a new domain and stated that it was investigating the matter with “special importance.”

Despite these steps, experts warn the new system remains vulnerable. According to Access Now, rushed deployment of e-visa systems often leads to inadequate cybersecurity measures, leaving users exposed to potential abuse.

“The government’s push to deploy the e-visa system despite being clearly unprepared, then redeploying it after a serious breach, shows disregard for public trust and digital security,” said Andere.

Legal and Regulatory Implications

Somalia’s data protection law mandates that data controllers notify the data protection authority and affected individuals in cases of high-risk breaches. Given that this incident involves multiple nationalities, stronger protections and notifications are considered necessary.

Al Jazeera has refrained from disclosing technical details of the vulnerability to prevent malicious actors from exploiting it further.

Government Response

Earlier this month, Somalia’s Defence Minister Ahmed Moalim Fiqi praised the e-visa system for preventing potential ISIL (ISIS) fighters from entering the country, amid ongoing operations against local affiliates in northern Somalia. Meanwhile, the ICA continues to investigate security shortcomings but has yet to publicly acknowledge the latest vulnerability.

Conclusion

The Somalia e-visa security flaw highlights the risks associated with rapidly deployed digital systems, especially when handling sensitive personal data across international jurisdictions. Travelers are left with limited ways to protect themselves, underscoring the need for stronger cybersecurity measures and government accountability.