{"id":12453,"date":"2026-01-09T04:12:07","date_gmt":"2026-01-09T04:12:07","guid":{"rendered":"https:\/\/www.europesays.com\/africa\/12453\/"},"modified":"2026-01-09T04:12:07","modified_gmt":"2026-01-09T04:12:07","slug":"somalias-e-visa-breach-exposes-gaps-in-digital-public-goods-oversight","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/africa\/12453\/","title":{"rendered":"Somalia\u2019s E-Visa breach exposes gaps in Digital Public Goods oversight"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.europesays.com\/africa\/wp-content\/uploads\/2026\/01\/hol.jpg\" alt=\"HOL Logo\" class=\"source-logo-inline\"\/><br \/>Hassan Istiila<br \/>Thursday January 8, 2026<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.europesays.com\/africa\/wp-content\/uploads\/2026\/01\/1767885287513698859_1023234423312302_8625962258460345044_n.jpg\" alt=\"Somalia\u2019s E-Visa breach exposes gaps in Digital Public Goods oversight\" width=\"660\" height=\"440\"\/><\/p>\n<p>Mogadishu (HOL) &#8211; When Hamdi Mohamed applied for a Somali e-visa in September 2025, the process felt unusually smooth. Within minutes, the traveler uploaded a passport scan, personal details, and contact information to the government\u2019s online portal.<\/p>\n<p>\u201cIt looked modern,\u201d she recalled. \u201cI thought Somalia was finally catching up digitally.\u201d<\/p>\n<p>Weeks later, Mohamed learned that the same system had been breached and that her personal data might be among more than 35,000 records exposed, including details of U.S. and U.K. citizens.<\/p>\n<p>\u201cI don\u2019t know who has my passport information now,\u201d Mohamed said. After seeing photos of other people\u2019s passports circulating on social media, she fears her own information could also be shared publicly. \u201cThat fear doesn\u2019t go away,.\u201d she added.<\/p>\n<p>The breach of Somalia\u2019s electronic visa system has become one of the country\u2019s most consequential digital failures to date, triggering international travel warnings, an ongoing government investigation, and a deep crisis of trust in Somalia\u2019s digital public infrastructure. What began as a technical incident has evolved into a national security, political, and diplomatic problem that raising fundamental questions about governance, accountability, and public trust.<\/p>\n<p>The Somali government launched the e-visa platform on September 1, 2025, as part of its Digital Public Goods (DPGs) agenda, promoting it as a tool to strengthen border control, improve efficiency, and reduce security risks. Officials publicly framed the system as critical to preventing militants, including ISIS fighters, from entering the country. Instead, the platform itself became a point of vulnerability.<\/p>\n<p>According to preliminary findings, attackers accessed a large database containing visa applicants\u2019 personal information. While the full technical details remain undisclosed, officials have confirmed that at least 35,000 records may have been compromised, and that the breach went undetected for a significant period.<\/p>\n<p>The government has since formed a task force to investigate the incident, and officials say prosecutions may follow. Yet key questions remain unanswered, for instance, how the system was designed, who built it, how it was audited, and why safeguards failed.<br \/>Attempts to reach Somalia\u2019s immigration authorities for comment were unsuccessful.<\/p>\n<p>For those whose data may have been exposed, the breach is not an abstract policy failure but it is deeply personal. Travel agents who regularly assist diaspora Somalis and foreign visitors say clients are now hesitant to use the platform. Some have reverted to informal channels, increasing costs and uncertainty.<\/p>\n<p>\u201cPeople are scared and keep asking us whether the e-visa system is really working,\u201d said a Travel Agency based in Nairobi who asked not to be named due to security issues.<\/p>\n<p>Another travel and cargo agency official, Abdukadir Osman Noor, said there are currently no challenges with the visa process. \u201cPeople are still obtaining visas through the government\u2019s online portal, just as before, and there are no issues,\u201d he added.<\/p>\n<p>Diaspora Somalis, many of whom already face complex travel restrictions, say the breach reinforces fears about surveillance, misuse of data, and weak protections.<\/p>\n<p>\u201cThis confirms what many of us suspected,\u201d said Abdikhadir Ahmed, a Somali living abroad. \u201cDigital services without rules can be more dangerous than paper systems.\u201d<\/p>\n<p>Ahmed said many affected applicants are waiting for the outcome of the government investigation but expect little accountability. \u201cPrevious investigations ended without concrete punishment,\u201d he said.<\/p>\n<p>Another Somali living abroad emphasized concerns about identity theft amid a global environment of tightening borders and digital surveillance. \u201cThe e-visa breach happened just weeks after launch,\u201d he said. \u201cOur trust in the system dropped immediately.\u201d<\/p>\n<p>Somalia\u2019s Data Protection Act (DPA), enacted in March 2023 (Law No. 005\/2023), is the country\u2019s first comprehensive law on personal data protection. However, experts say it provides limited vendor oversight and does not clearly mandate independent security audits of public digital systems.<\/p>\n<p>\u201cThis was not just a technical failure it was a governance failure,\u201d said Bashir Dhore, a CISSP-certified cybersecurity expert. \u201cIf you collect sensitive data without legal safeguards, clear accountability, and audits, breaches become inevitable.\u201d<\/p>\n<p>In a written assessment, Dhore said the failure was institutional rather than technological.<\/p>\n<p>\u201cThe real issues were weak access control management, failure of vendor oversight, inadequate monitoring, no incident escalation mechanism, absence of internal accountability,\u201d he wrote. \u201cNo sophisticated attacker breached the system. The system was left exposed.\u201d Dhore said he advised authorities after the incident and concluded the breach resulted from a preventable server misconfiguration.<\/p>\n<p>\u201cIt wasn\u2019t an attack in the conventional sense,\u201d he said. \u201cThe server was misconfigured, making visa applicants\u2019 data publicly accessible, a door left wide open despite warnings issued weeks earlier.\u201d<\/p>\n<p>He added that the government\u2019s delayed response and the apparent lack of experienced technical personnel suggested the system was not managed by qualified experts.<\/p>\n<p>Somalia remains among the countries with the lowest cybersecurity capacity in Africa, despite recent progress in drafting policies and frameworks. While some Somali students have returned with relevant training, experts say the cybersecurity industry itself remains underdeveloped.<\/p>\n<p>On social media, some users defended the breach as inevitable in a developing country. But critics argue Somalia cannot be compared with other states that have stronger institutions and professional cybersecurity capacity.<\/p>\n<p>Questions intensified when the government quietly shifted its visa service from evisa.gov.so to etas.gov.so, without providing a public explanation.<\/p>\n<p>Mohamed Ibrahim, a former Somali telecommunications minister and technology expert, said the lack of transparency was deeply concerning.<\/p>\n<p>\u201cSomalia isn\u2019t high-tech, and hacking itself isn\u2019t the main issue,\u201d Ibrahim said. \u201cBut authorities should have been upfront with the public.\u201d<\/p>\n<p>\u201cWhy was the website\u2019s URL changed? That hasn\u2019t been explained,\u201d he added.<\/p>\n<p>The e-visa platform is best understood as a Digital Public Good layered on top of broader Digital Public Infrastructure. Digital Public Goods (DPGs) and Digital Public Infrastructure (DPI) enable countries to deliver inclusive, efficient, and transparent public services at scale by using interoperable, open, and reusable digital systems. They reduce costs, avoid vendor lock-in, strengthen digital sovereignty, and accelerate innovation across government and the private sector. But \u00a0without strong institutions, even well-intentioned digital tools can magnify risk rather than reduce it.<\/p>\n<p>The breach has intensified political tensions. Authorities in Puntland and Somaliland have publicly rejected the federal e-visa system, citing security concerns.<\/p>\n<p>\u201cNo one holding Somalia\u2019s e-visa will be allowed to enter Somaliland or land at its airports,\u201d Somaliland President Abdirahman Irro said.<\/p>\n<p>Somaliland, which declared independence in 1991, governs itself with its own institutions but is not internationally recognized. Somalia maintains that the region remains part of its sovereign territory.<\/p>\n<p>Puntland has also rejected the e-visa system, citing security flaws, constitutional concerns, and what it describes as a federal power grab. The state insists travelers pay entry fees directly at Puntland airports, creating dual charges and further political friction with Mogadishu.<\/p>\n<p>\u201cThis incident has damaged Somalia\u2019s image abroad,\u201d said Professor Shafi\u2019i Yusuf Omar, head of research at the Brilliance Center for Security and Good Governance. \u201cAt home, it deepens skepticism toward federal institutions.\u201d The breach prompted rare public responses from foreign governments.<\/p>\n<p>The United Kingdom Embassy warned travelers on November 14 that \u201cthis data breach is ongoing and could expose any personal data you enter into the system,\u201d advising citizens to \u201cconsider the risks before applying for an e-visa.\u201d<\/p>\n<p>The U.S. Embassy in Mogadishu said it was \u201cunable to confirm whether an individual\u2019s data is part of the breach\u201d and urged anyone who had applied for a Somali e-visa to assume they may be affected.<\/p>\n<p>However, in East Africa, countries such as Kenya and Uganda treat e-visa systems as critical digital public infrastructure, governed by law, oversight, and trust safeguards.<\/p>\n<p>Kenya\u2019s e-visa system operates under the Data Protection Act (2019), with independent oversight, security-by-design principles, and transparency norms. When disruptions occur, authorities typically issue public notices, limiting uncertainty and preserving trust.<\/p>\n<p>Uganda follows a similar approach under its Data Protection and Privacy Act (2019), emphasizing centralized supervision, clear accountability, and risk management.<\/p>\n<p>Somalia\u2019s experience highlights what happens when digital services are built before governance structures are in place.<\/p>\n<p>Key lessons include the need for enforceable data protection laws, independent oversight bodies, continuous audits, vendor accountability, and transparent public communication.<\/p>\n<p>As investigations continue, the e-visa breach stands as a defining test for Somalia\u2019s digital ambitions. Somalia has already deployed key Digital Public Infrastructure (DPI) systems such as the HUBIYE identity verification platform, the e-Aqoonsi digital ID app, and the Certificate Delivery System (CDS) to support secure national digital identity verification and access to public services.Millions \u00a0of Somalis are expected to rely on digital public services in the coming years from identity systems to payments and social services.<\/p>\n<p>For affected applicants like Mohamed, the question is simpler, \u201cWill anyone be held responsible?\u201d<\/p>\n<p>Until that question is answered, Somalia\u2019s digital border remains open not just to travelers, but to doubt.<\/p>\n","protected":false},"excerpt":{"rendered":"Hassan IstiilaThursday January 8, 2026 Mogadishu (HOL) &#8211; When Hamdi Mohamed applied for a Somali e-visa in September&hellip;\n","protected":false},"author":2,"featured_media":12454,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[8464,459,8463,8465,7890,8466,2650,8467,4808,5158,153],"class_list":{"0":"post-12453","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-uganda","8":"tag-breach","9":"tag-digital","10":"tag-evisa","11":"tag-exposes","12":"tag-gaps","13":"tag-goods","14":"tag-in","15":"tag-oversight","16":"tag-public","17":"tag-somalias","18":"tag-uganda"},"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/africa\/wp-json\/wp\/v2\/posts\/12453","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/africa\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/africa\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/africa\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/africa\/wp-json\/wp\/v2\/comments?post=12453"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/africa\/wp-json\/wp\/v2\/posts\/12453\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/africa\/wp-json\/wp\/v2\/media\/12454"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/africa\/wp-json\/wp\/v2\/media?parent=12453"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/africa\/wp-json\/wp\/v2\/categories?post=12453"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/africa\/wp-json\/wp\/v2\/tags?post=12453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}