Al Jazeera confirmed a serious vulnerability in Somalia’s new e‑visa portal that could let attackers download thousands of records containing passport numbers, names and dates of birth. A web‑developer source says they warned authorities last week with no response; Al Jazeera replicated the flaw. The issue follows an earlier breach that exposed data from over 35,000 applicants and prompted the service to move to a new domain.
Critical Flaw in Somalia’s New E‑Visa Portal Exposes Thousands of Personal Records
A Somali immigration official holds up new passports [File: Finbarr O'Reilly/Reuters]
Somalia’s recently launched electronic visa portal contains a critical security flaw that could allow attackers to bulk-download thousands of e‑visa records containing sensitive personal information, including passport numbers, full names and dates of birth.
How the Issue Was Identified
Al Jazeera verified the vulnerability this week after receiving a tip from a source with a web development background. The source provided evidence that they had alerted Somali authorities last week about the weakness but received no response. Al Jazeera was subsequently able to reproduce the issue and download multiple e‑visa files in a short period.
What Data Was Exposed
Data obtained during the investigation included records belonging to people from Somalia, Portugal, Sweden, the United States and Switzerland. The exposure echoes a previous breach reported last month that affected more than 35,000 visa applicants.
Earlier Breach
The US and UK governments warned earlier that a breach had leaked the information of over 35,000 e‑visa applicants. The US Embassy in Somalia said leaked data included names, photos, dates and places of birth, email addresses, marital status and home addresses.
Official Response
Somalia’s Immigration and Citizenship Agency (ICA) moved its e‑visa service to a new domain on November 16 and said it had opened an investigation. Al Jazeera contacted Somali authorities about the current vulnerability and the earlier breach but did not receive a response.
Expert Concerns
“Breaches involving sensitive personal data are particularly dangerous as they put people at risk of various harms, including identity theft, fraud, and intelligence gathering by malicious actors,” said Bridget Andere, senior policy analyst at digital rights group Access Now.
Andere criticized the rapid deployment of digital systems without adequate safeguards and said Somalia’s data protection law requires data controllers to notify authorities — and, in high‑risk cases, affected individuals — when breaches occur. She also warned that extra protections are needed because the exposed records involve multiple nationalities and legal jurisdictions.
Responsible Disclosure and Precautions
Al Jazeera said it will not publish technical details of the vulnerability while it remains unpatched to avoid enabling further exploitation. Any sensitive data obtained during the investigation has been destroyed to protect the privacy of those affected.
What This Means
The incident highlights ongoing risks in rapidly deployed digital government systems. Without timely fixes and transparent notifications, individuals whose data are exposed remain vulnerable to fraud, identity theft and other harms. Access Now and other privacy advocates are calling for prompt remediation, full disclosure to affected people, and stronger safeguards for cross‑border data.
