MOGADISHU (Kaab TV) – Somalia’s new electronic visa (e-visa) system lacks proper security protocols, creating vulnerabilities that could be exploited by malicious actors seeking to download thousands of e-visas containing sensitive personal information, including passport details, full names, and dates of birth.
Al Jazeera confirmed the system’s vulnerability this week following a tip from sources familiar with the development of the platform. The source provided Al Jazeera with sensitive database records as well as evidence showing that, last week, they had raised their concerns with Somali authorities to alert them to the existing security flaws.
According to the information, these efforts received no response from the authorities, and no remedial action was taken.
“Breaches involving sensitive personal data are particularly dangerous because they expose individuals to a range of harms, including identity theft, fraud, and intelligence gathering by malicious actors,” Bridget Andere, a senior policy analyst at the digital rights group Access Now, told Al Jazeera.
This latest security weakness comes just a month after officials said they had launched an investigation following a breach of the country’s visa system.
This week, Al Jazeera was able to reproduce the vulnerability identified by its source.
We were able to download electronic visas containing sensitive information belonging to dozens of individuals within a short period of time. The data included personal details of people from Somalia, Portugal, Sweden, the United States, and Switzerland.
Al Jazeera sent questions to the Somali government and informed it of the system flaws, but received no response.
“The government’s decision to roll out an e-visa system despite being clearly unprepared for the associated risks, and then attempting to fix it only after a serious data breach, is a clear example of how failing to prioritize people’s rights and concerns when deploying digital infrastructure can undermine public trust and create preventable vulnerabilities,” Andere said.
She also described it as alarming that Somali authorities did not issue any official notification about the serious data breach in November.
“In situations like this, Somalia’s data protection law requires data controllers to notify the data protection authority, and in high-risk cases such as this one, to also inform the affected individuals,” Andere added.
“Additional safeguards should apply in this case because it involves people of multiple nationalities and therefore multiple legal jurisdictions.”
Al Jazeera cannot disclose technical details of the breach because the vulnerability has not yet been resolved, and publishing such information could provide hackers with enough details to exploit it further.
Any sensitive data obtained by Al Jazeera as part of this investigation has been destroyed to protect the privacy of those affected.
Last month, the United States and United Kingdom governments issued warnings about a data breach that exposed the information of more than 35,000 people who had applied for Somalia’s e-visa.
“The compromised data included applicants’ names, photographs, dates and places of birth, email addresses, marital status, and home addresses,” the U.S. Embassy in Somalia said at the time.
In response to that breach, Somalia’s Immigration and Citizenship Agency (ICA) migrated its e-visa platform to a new website in an effort to improve security. On November 16, the agency said it was treating the matter with “utmost seriousness” and announced that it had launched an investigation.
Earlier that same week, Somalia’s Minister of Defense, Ahmed Macallin Fiqi, praised the e-visa system, saying it had successfully prevented ISIL (ISIS) fighters from entering the country amid months-long fighting with local forces in northern regions.
Bridget Andere of Access Now highlighted that governments often rush to implement e-visa systems, which frequently results in security failures.
She added that individuals have little ability to protect themselves from such data breaches.
“Data protection and cybersecurity considerations are often the first things to be overlooked,” she said. “It is difficult to place the burden on individuals because the information they provide is required in order to access these systems.”