A newly identified security flaw in Somalia’s electronic visa platform has raised serious concerns about the safety of personal data belonging to thousands of travelers, only weeks after the country acknowledged a major breach affecting tens of thousands of applicants. Investigations show that the Somalia e-visa system lacks essential protection methods, making it possible for unauthorized users to access and download sensitive documents with minimal effort.
The Somalia e-visa flaw was confirmed this week by Al Jazeera after receiving a tip from a source with professional experience in web development. According to the source, the e-visa platform could be exploited to retrieve large numbers of visa files containing highly sensitive personal information. The exposed data includes applicants’ passport details, full names, and dates of birth, information that could be misused for a wide range of criminal or intelligence-related activities.
The source not only shared evidence of the exposed data with Al Jazeera but also demonstrated that they had formally alerted Somali authorities to the e-visa vulnerability the previous week. Despite these warnings, the individual stated that there was no response from officials and no indication that the flaw had been addressed or corrected.
Al Jazeera independently verified the claims by replicating the vulnerability described by the source. During testing, journalists were able to download e-visas belonging to dozens of individuals within a short period. The compromised files included personal information of applicants from several countries, including Somalia, Portugal, Sweden, the United States, and Switzerland.
“Breaches involving sensitive personal data are particularly dangerous as they put people at risk of various harms, including identity theft, fraud, and intelligence gathering by malicious actors,” Bridget Andere, a senior policy analyst at the digital rights organization Access Now, said in comments to Al Jazeera. She noted that the consequences of such failures extend beyond technical problems and can have lasting effects on individuals’ safety and privacy.
The Somalia e-visa flaw comes barely a month after Somali officials announced an inquiry into an earlier cyberattack on the same e-visa system. That previous incident prompted warnings from both the United States and the United Kingdom governments. According to those alerts, personal information belonging to more than 35,000 Somalia e-visa applicants had been leaked.
At the time, the US Embassy in Somalia detailed the scope of the exposure, stating that the compromised data included applicants’ names, photographs, dates and places of birth, email addresses, marital status, and home addresses.
In response, Somalia’s Immigration and Citizenship Agency (ICA) moved the e-visa platform to a new internet domain, citing the change as an effort to strengthen security. On November 16, the agency said it was treating the breach with “special importance” and confirmed that an investigation had been launched. However, the discovery of a fresh e-visa vulnerability suggests that the underlying security issues may not have been fully resolved.
Earlier that same week, Somalia’s Defence Minister, Ahmed Moalim Fiqi, publicly praised the Somalia e-visa system. He claimed it had played a role in preventing ISIL (ISIS) fighters from entering the country, as Somali forces continued a months-long battle against a local affiliate of the group in the northern regions.
“The government’s push to deploy the e-visa system despite being clearly unprepared for potential risks, then redeploying it after a serious data breach, is a clear example of how disregard for people’s concerns and rights when introducing digital infrastructures can erode public trust and create avoidable vulnerabilities,” Andere said. She also expressed alarm that Somali authorities had not issued any formal public notice about the serious November data breach.
Under Somalia’s data protection law, data controllers are required to notify the national data protection authority when breaches occur. In high-risk cases, such as incidents involving sensitive personal data, affected individuals must also be informed. “Extra protections should apply in this case because it involves people of different nationalities and therefore multiple legal jurisdictions,” Andere added.
Al Jazeera said it could not disclose specific technical details of the current security flaw, as the vulnerability remains unpatched, and publicizing it could enable further exploitation. Any sensitive information obtained during the investigation was destroyed to protect the privacy of those affected.
ChromaDB FastAPI CVE-2026-45829 (ChromaToast) enables pre-auth RCE via HuggingFace model loading before authentication, impacting v1.0.0–1.5.8 risk!!
The Chanhassen Dinner Theatres cyberattack and illness outbreak forced “Guys and Dolls” cancellations and system shutdowns.
Ofcom said technology companies must take greater responsibility for detecting harmful content and preventing its distribution across their platforms.
The telecom sector formed a private ISAC to improve cyber threat sharing amid rising AI-powered cyberattacks and espionage risks.
Officials stressed on the importance of verifying website links carefully before entering personal or banking information.
A major software supply chain attack has compromised hundreds of widely used npm packages tied to the AntV ecosystem, exposing…
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More