Somalia’s new electronic visa website lacks proper security protocols, which could be exploited by nefarious actors wanting to download thousands of e-visas containing sensitive information, including individuals’ passport details, full names, and dates of birth.

Al Jazeera confirmed the system vulnerability this week, following a tip from a source with a background in web development.

Recommended Stories

list of 3 itemsend of list

The source provided Al Jazeera with information about the at-risk data as well as evidence that they had taken their concerns to the Somali authorities last week to make them aware of the vulnerability.

The source said that despite their efforts, there had been no response from the authorities and the issue had not been fixed.

“Breaches involving sensitive personal data are particularly dangerous as they put people at risk of various harms, including identity theft, fraud, and intelligence gathering by malicious actors,” Bridget Andere, senior policy analyst at digital rights group Access Now, told Al Jazeera.

This new security weakness comes a month after officials said they launched an inquiry after hackers breached the country’s e-visa platform.

This week, Al Jazeera was able to replicate the vulnerability identified by our source.

We were able to download e-visas containing sensitive information from dozens of people in a short time. This included the personal details of people from Somalia, Portugal, Sweden, the United States and Switzerland.

Al Jazeera sent questions to the Somali government and alerted them about the system flaw, but did not receive a response.

Advertisement

“The government’s push to deploy the e-visa system despite being clearly unprepared for potential risks, then redeploying it after a serious data breach, is a clear example of how disregard for people’s concerns and rights when introducing digital infrastructures can erode public trust and create avoidable vulnerabilities,” Andere said.

“It’s also alarming that the Somalian authorities have not issued any formal notice about this [November] serious data breach.”

“In such situations, Somalia’s data protection law mandates data controllers to notify the data protection authority, and in high-risk contexts such as in this incident, to also notify the individuals affected,” Andere added.

“Extra protections should apply in this case because it involves people of different nationalities and therefore multiple legal jurisdictions.”

Al Jazeera cannot reveal technical details about the breach because the vulnerability has not yet been fixed, so publishing it could provide hackers with enough information to replicate the leak.

Any sensitive information Al Jazeera obtained as part of this investigation has been destroyed to ensure the privacy of those affected.

Previous breach

Last month, the US and United Kingdom governments sent out a warning about a data breach that leaked the information of more than 35,000 people who had applied for an e-visa to Somalia.

“Leaked data from the breach included visa applicants’ names, photos, dates and places of birth, email addresses, marital status, and home addresses,” the US Embassy in Somalia said at the time.

In response to that data breach, Somalia’s Immigration and Citizenship Agency (ICA) changed its e-visa website to a new domain in an attempt to increase security.

The immigration agency said on November 16 that it was treating the issue with “special importance” and announced it had launched an investigation into the issue.

Earlier that week, Somalia’s Defence Minister Ahmed Moalim Fiqi had praised the e-visa system, claiming it had successfully prevented ISIL (ISIS) fighters from entering the country, as a months-long battle continued in the northern regions against a local affiliate of the group.

Access Now’s Andere highlighted that governments often rush to implement e-visa systems, which frequently leads to insecure situations.

She added that it is hard for people to protect themselves against these types of data breaches.

“Data protection and cybersecurity considerations are often the first to be disregarded,” she said. “It is difficult to shift the burden to people because the data they gave is required for a particular process.”

Advertisement