Security flaws plague Somalia’s new E-Visa platform

Somalia’s newly launched electronic visa (e-visa) system still contains serious security vulnerabilities that risk exposing the passport details and personal information of thousands of applicants, according to a new Al Jazeera investigation. The investigation found that the flaws allow unauthorized access to sensitive data, including full names, passport numbers, and dates of birth. Despite being alerted by a cybersecurity expert, Somalia’s government has not publicly addressed or resolved the issue.

The findings come shortly after a previous data breach involving the same system. In early November, reports of a major breach of the e-visa platform spread widely on social media. Anonymous accounts claimed hackers had seized control of the system and leaked more than 35,000 passport records, including scanned passports, biometric data, and other personal details belonging to applicants from multiple countries. The allegedly compromised files reportedly included records of diplomats, aid workers, foreign contractors, and Colombian nationals allegedly linked to Sudanese militia networks.

Despite the scale of the allegations, the Federal Government of Somalia initially remained silent, offering neither confirmation nor denial. This lack of response heightened public anxiety among thousands of applicants who had submitted sensitive personal information through the platform.

International partners soon issued warnings. On November 11, 2025, the U.S. Embassy in Mogadishu released a security notice citing “credible reports of a breach” and cautioning that the personal data of thousands of U.S. citizens may have been exposed. The United Kingdom later updated its foreign travel advisory, urging travelers to carefully consider the risks before applying for Somali e-visas.

Following these warnings, the Somali government acknowledged the incident, with the responsible agency admitting to “an unlawful breach that targeted parts of the data belonging to Somalia’s travel system.” The agency said it had isolated affected systems and launched an investigation, announcing the formation of a national investigative committee that includes security agencies, international forensic experts, and government bodies responsible for data protection.

The latest Al Jazeera revelations expose that, despite official assurances and promises of an investigation, serious doubts remain about the government’s commitment to addressing the breach with the urgency it demands. The contradiction between earlier dismissals of the breach as mere “propaganda” and the subsequent admission of an “unlawful breach” raises troubling questions about the government’s ability to safeguard private data. Even more alarming is the revelation that, despite the initial breach, significant security lapses persist — placing the personal information of travelers at continued risk and underscoring a gross failure by the government to uphold its promise of protecting citizens’ private data.