Somalia’s recently launched electronic visa (e-visa) website has serious security flaws that could allow hackers to access thousands of sensitive records, including passport details, full names, and dates of birth.
Al Jazeera confirmed the vulnerability this week following a tip from a source with web development experience. The source said they had alerted Somali authorities last week but received no response, and the issue remains unresolved.
“Breaches involving sensitive personal data are particularly dangerous as they put people at risk of various harms, including identity theft, fraud, and intelligence gathering by malicious actors,” said Bridget Andere, senior policy analyst at digital rights group Access Now.
The flaw comes just a month after Somali officials announced an investigation into a previous cyberattack on the e-visa system. Al Jazeera was able to replicate the vulnerability and download e-visas containing personal information from dozens of people, including citizens of Somalia, Portugal, Sweden, the United States, and Switzerland.
Al Jazeera stated that it had reached out to the Somali government and alerted them to the issue, but received no response.
Andere criticized the government’s handling of the system, saying: “The government’s push to deploy the e-visa system despite being clearly unprepared for potential risks, then redeploying it after a serious data breach, is a clear example of how disregard for people’s concerns and rights when introducing digital infrastructures can erode public trust and create avoidable vulnerabilities.”
She added that Somalia’s data protection law requires authorities to notify the data protection authority and affected individuals in cases like this, especially since the breach involves multiple nationalities.
Al Jazeera has destroyed any sensitive information obtained during its investigation to protect the privacy of those affected and has withheld technical details to prevent further exploitation.
Last month, the United States and United Kingdom issued warnings about a previous e-visa data breach affecting more than 35,000 applicants. The leaked information included names, photos, dates and places of birth, email addresses, marital status, and home addresses.
In response, Somalia’s Immigration and Citizenship Agency (ICA) launched a new e-visa website, claiming it would improve security. At the time, Defence Minister Ahmed Moalim Fiqi praised the system, saying it had successfully prevented ISIL fighters from entering the country amid ongoing military operations in the north.
Andere noted that rushed implementation of e-visa systems often leads to weak security. “Data protection and cybersecurity considerations are often the first to be disregarded,” she said. “It is difficult to shift the burden to people because the data they gave is required for a particular process.”
ALSO READ: NPR Officer Arrested Over Igembe South Robberies, Firearm Recovered
