Somalia's e-visa system, a recent addition to the country's digital infrastructure, has been found to have critical security flaws, potentially exposing sensitive personal data. According to an investigation by Al Jazeera, the system's vulnerability could allow unauthorized access to thousands of e-visa records, including passport details, full names, and dates of birth. This discovery raises significant concerns about the safety of applicants' data and the potential for identity theft, fraud, and intelligence misuse.
The flaw was identified with the help of a web development expert and verified by Al Jazeera, who confirmed that the system allowed rapid retrieval of e-visa documents for applicants from various countries. The source, who alerted the Somali authorities to the issue, reported no response or action taken, highlighting a lack of accountability in addressing the problem.
Digital rights experts emphasize the harm caused by breaches involving sensitive data, as they can expose individuals to long-term risks across different jurisdictions. They also warn that a transparent response to such breaches is crucial to maintaining public trust in government digital services.
This incident follows a major data breach reported last month, where the personal information of over 35,000 e-visa applicants was leaked. The U.S. and U.K. issued warnings, and Somalia's Immigration and Citizenship Agency moved the system to a new domain to enhance security. However, the latest findings suggest that systemic weaknesses persist, and Somalia's data protection framework may not be adequately addressing the risks.
Despite the e-visa system being promoted by senior officials as a security tool, analysts caution that rapid digital border system deployment without proper safeguards can lead to preventable vulnerabilities. This leaves applicants with limited means to protect themselves once their data is submitted, raising questions about the effectiveness of the system in ensuring national security.
Al Jazeera withheld technical details of the vulnerability to prevent further exploitation and ensured the secure destruction of all sensitive data obtained during the investigation. The Somali government, contacted with detailed questions, did not respond to the concerns raised.
