MOGADISHU – Somalia’s official e-visa portal has been abruptly shut down after a catastrophic data leak exposed the sensitive personal information of tens of thousands of international travelers, marking one of the nation’s most severe cybersecurity failures.
The breach, first identified in late October by a Somali-American cybersecurity researcher, stemmed not from a complex external hack, but from a fundamental design flaw. As initially reported by the Somaliland Chronicle, application files were left accessible to anyone who manipulated sequential numbers in the website’s URL, requiring no login or password.
For weeks, a vast trove of data—including passport scans, personal photographs, travel itineraries, and application details from applicants in the United States, United Kingdom, Australia, and across Europe and Africa—remained freely downloadable. It is estimated that over 35,000 records were compromised, with the data appearing on social media and likely the dark web.
On November 10, the original site, evisa.gov.so, was quietly replaced with a redirect to a new platform, etas.gov.so, run by the Immigration and Citizenship Agency (ICA). While the new site allows users to track or submit applications, it contains no acknowledgment of the breach or the mass data exposure.
The Somali government has yet to issue any official statement, confirm the scale of the compromise, or notify affected individuals.
This silence has provoked sharp criticism from cybersecurity professionals and diaspora groups. “The individuals traveling to Somalia—diplomats, aid workers, journalists—are already in high-risk roles. For their personal data to be laid bare is a profound security failure,” one expert noted.
The leak places affected travelers in immediate peril, exposing them to risks of identity theft, sophisticated phishing attempts, and physical targeting by militant groups like al-Shabaab, who could use the information to track foreign movements within the country.
In response, the ICA has advised applicants to contact embassies directly and avoid third-party visa services. However, early reports suggest the replacement portal, etas.gov.so, shares concerning structural similarities with its flawed predecessor, raising questions about whether core vulnerabilities have been resolved.
International partners, including the European Union which assisted Somalia’s digital migration, have remained publicly silent. Diplomatic sources indicate that embassies are privately warning citizens to presume their data is compromised.
The e-visa system, launched in August 2025 and mandated from September 1, faced controversy from its inception. It was widely perceived as a patronage mechanism, with allegations that visa fees were funneled to private accounts instead of the official treasury—a clear breach of financial protocol.
The policy also intensified political fractures. Mogadishu’s assertion that the e-visa was required for travel to all Somali territory, including the autonomous region of Somaliland, was seen as a direct challenge to Somaliland’s self-governance. Somaliland authorities promptly rejected the decree, banning airlines from enforcing the requirement and escalating a separate airspace dispute.
The semi-autonomous state of Puntland also resisted the mandate, decrying it as federal overreach. The data breach has since vindicated these criticisms, with detractors labeling the system a “corrupt and illegitimate fiasco.”
All individuals who applied through the evisa.gov.so portal are urged to contact their national data-protection authorities and vigilantly monitor for fraudulent activity.
The portal’s failure represents a major setback for Somalia’s ambitions to modernize its governance and attract foreign investment, highlighting the immense difficulty of establishing secure digital infrastructure in a state struggling with fragility and deep political divisions
