Hassan Istiila
Thursday, January 8, 2026
Mogadishu (HOL) – A significant data breach involving Somalia’s e-visa system has compromised sensitive information of over 35,000 individuals, raising profound concerns about cybersecurity practices and governance. This incident, which unfolded soon after the platform’s launch in September 2025, has not only affected Somali citizens but also included personal data of U.S. and U.K. nationals, underscoring the magnitude of the security lapse.
Hamdi Mohamed, who applied for her e-visa in September, described the application process as modern and seamless. However, her optimism quickly turned to anxiety upon learning of the breach, fearing that her personal information could be misused or exposed further online. “I don’t know who has my passport information now,” she lamented, illustrating the psychological impact of the breach on individuals whose data is now vulnerable.
This incident is characterized by a failure of the digital public infrastructure intended to enhance security, efficiency, and border control. Initially marketed as a robust solution against potential threats, the platform itself morphed into a security risk. Preliminary investigations into the breach suggest that attackers accessed a central database containing visa applicants’ details, indicating that the system had significant vulnerabilities that went unnoticed for an extended period. This incident is emblematic of a broader governance failure, where poor oversight and a lack of security protocols contributed to this adverse outcome.
Authorities have commenced an investigation and established a task force dedicated to this incident. However, critical questions remain regarding system design, vendor accountability, and the absence of sufficient security audits. While the government maintains that visa applications continue to be processed, travel agents note a marked decline in user confidence, leading many applicants to seek informal and less secure channels for obtaining visas.
In light of the breach, diasporic Somalis have expressed heightened concerns regarding data privacy and surveillance risks. One expatriate, Abdikhadir Ahmed, articulated a common sentiment: “Digital services without rules can be more dangerous than paper systems.” This illustrates the broader apprehension regarding the maturity of digital infrastructures in Somalia, which lacks experienced technical personnel and institutional frameworks for effective cybersecurity management.
Cybersecurity experts have pointed out that Somalia’s established Data Protection Act, enacted in March 2023, offers only limited oversight and fails to mandate independent audits for digital systems. This regulatory shortfall raises substantial concerns, as institutions without robust governing frameworks are inevitably vulnerable to breaches. Bashir Dhore, a CISSP-certified cybersecurity expert, noted fundamental flaws in access control, vendor oversight, and incident management, all of which facilitated this breach.
From a cybersecurity framework perspective, this incident may align with several MITRE ATT&CK tactics, notably Initial Access and Data Exfiltration. The breach suggests a possible exploitation of system misconfigurations and a lack of incident response readiness, amplifying the risk of data exposure and misuse. Moreover, the shift of the visa service to a different URL without public announcement has intensified skepticism regarding transparency and governance in digital operations.
In contrast to the approach of other East African nations such as Kenya and Uganda, which enforce robust regulatory frameworks concerning their e-visa systems, Somalia’s experience highlights the crucial need for meticulous consideration and implementation of technological governance. As Somalia continues to navigate its digital ambitions, the e-visa breach stands as a defining moment that could either catalyze reform or deepen mistrust in its emerging digital landscape.
For individuals like Mohamed, waiting for accountability and transparency in the wake of this breach is paramount. Until the questions surrounding responsibility and systemic flaws are adequately addressed, the prospects for trust in Somalia’s digital infrastructure remain precariously open to doubt.
