Hassan Istiila
Thursday January 8, 2026
Mogadishu (HOL) - When Hamdi Mohamed applied for a Somali e-visa in September 2025, the process felt unusually smooth. Within minutes, the traveler uploaded a passport scan, personal details, and contact information to the government’s online portal.
“It looked modern,” she recalled. “I thought Somalia was finally catching up digitally.”
“I don’t know who has my passport information now,” Mohamed said. After seeing photos of other people’s passports circulating on social media, she fears her own information could also be shared publicly. “That fear doesn’t go away,.” she added.
The breach of Somalia’s electronic visa system has become one of the country’s most consequential digital failures to date, triggering international travel warnings, an ongoing government investigation, and a deep crisis of trust in Somalia’s digital public infrastructure. What began as a technical incident has evolved into a national security, political, and diplomatic problem that raising fundamental questions about governance, accountability, and public trust.
The Somali government launched the e-visa platform on September 1, 2025, as part of its Digital Public Goods (DPGs) agenda, promoting it as a tool to strengthen border control, improve efficiency, and reduce security risks. Officials publicly framed the system as critical to preventing militants, including ISIS fighters, from entering the country. Instead, the platform itself became a point of vulnerability.
According to preliminary findings, attackers accessed a large database containing visa applicants’ personal information. While the full technical details remain undisclosed, officials have confirmed that at least 35,000 records may have been compromised, and that the breach went undetected for a significant period.
The government has since formed a task force to investigate the incident, and officials say prosecutions may follow. Yet key questions remain unanswered, for instance, how the system was designed, who built it, how it was audited, and why safeguards failed.
Attempts to reach Somalia’s immigration authorities for comment were unsuccessful.
For those whose data may have been exposed, the breach is not an abstract policy failure but it is deeply personal. Travel agents who regularly assist diaspora Somalis and foreign visitors say clients are now hesitant to use the platform. Some have reverted to informal channels, increasing costs and uncertainty.
“People are scared and keep asking us whether the e-visa system is really working,” said a Travel Agency based in Nairobi who asked not to be named due to security issues.
Another travel and cargo agency official, Abdukadir Osman Noor, said there are currently no challenges with the visa process. “People are still obtaining visas through the government’s online portal, just as before, and there are no issues,” he added.
Diaspora Somalis, many of whom already face complex travel restrictions, say the breach reinforces fears about surveillance, misuse of data, and weak protections.
“This confirms what many of us suspected,” said Abdikhadir Ahmed, a Somali living abroad. “Digital services without rules can be more dangerous than paper systems.”
Ahmed said many affected applicants are waiting for the outcome of the government investigation but expect little accountability. “Previous investigations ended without concrete punishment,” he said.
Another Somali living abroad emphasized concerns about identity theft amid a global environment of tightening borders and digital surveillance. “The e-visa breach happened just weeks after launch,” he said. “Our trust in the system dropped immediately.”
Somalia’s Data Protection Act (DPA), enacted in March 2023 (Law No. 005/2023), is the country’s first comprehensive law on personal data protection. However, experts say it provides limited vendor oversight and does not clearly mandate independent security audits of public digital systems.
“This was not just a technical failure it was a governance failure,” said Bashir Dhore, a CISSP-certified cybersecurity expert. “If you collect sensitive data without legal safeguards, clear accountability, and audits, breaches become inevitable.”
In a written assessment, Dhore said the failure was institutional rather than technological.
“The real issues were weak access control management, failure of vendor oversight, inadequate monitoring, no incident escalation mechanism, absence of internal accountability,” he wrote. “No sophisticated attacker breached the system. The system was left exposed.” Dhore said he advised authorities after the incident and concluded the breach resulted from a preventable server misconfiguration.
“It wasn’t an attack in the conventional sense,” he said. “The server was misconfigured, making visa applicants’ data publicly accessible, a door left wide open despite warnings issued weeks earlier.”
He added that the government’s delayed response and the apparent lack of experienced technical personnel suggested the system was not managed by qualified experts.
Somalia remains among the countries with the lowest cybersecurity capacity in Africa, despite recent progress in drafting policies and frameworks. While some Somali students have returned with relevant training, experts say the cybersecurity industry itself remains underdeveloped.
On social media, some users defended the breach as inevitable in a developing country. But critics argue Somalia cannot be compared with other states that have stronger institutions and professional cybersecurity capacity.
Questions intensified when the government quietly shifted its visa service from evisa.gov.so to etas.gov.so, without providing a public explanation.
Mohamed Ibrahim, a former Somali telecommunications minister and technology expert, said the lack of transparency was deeply concerning.
“Somalia isn’t high-tech, and hacking itself isn’t the main issue,” Ibrahim said. “But authorities should have been upfront with the public.”
“Why was the website’s URL changed? That hasn’t been explained,” he added.
The e-visa platform is best understood as a Digital Public Good layered on top of broader Digital Public Infrastructure. Digital Public Goods (DPGs) and Digital Public Infrastructure (DPI) enable countries to deliver inclusive, efficient, and transparent public services at scale by using interoperable, open, and reusable digital systems. They reduce costs, avoid vendor lock-in, strengthen digital sovereignty, and accelerate innovation across government and the private sector. But without strong institutions, even well-intentioned digital tools can magnify risk rather than reduce it.
The breach has intensified political tensions. Authorities in Puntland and Somaliland have publicly rejected the federal e-visa system, citing security concerns.
“No one holding Somalia’s e-visa will be allowed to enter Somaliland or land at its airports,” Somaliland President Abdirahman Irro said.
Somaliland, which declared independence in 1991, governs itself with its own institutions but is not internationally recognized. Somalia maintains that the region remains part of its sovereign territory.
Puntland has also rejected the e-visa system, citing security flaws, constitutional concerns, and what it describes as a federal power grab. The state insists travelers pay entry fees directly at Puntland airports, creating dual charges and further political friction with Mogadishu.
“This incident has damaged Somalia’s image abroad,” said Professor Shafi’i Yusuf Omar, head of research at the Brilliance Center for Security and Good Governance. “At home, it deepens skepticism toward federal institutions.” The breach prompted rare public responses from foreign governments.
The United Kingdom Embassy warned travelers on November 14 that “this data breach is ongoing and could expose any personal data you enter into the system,” advising citizens to “consider the risks before applying for an e-visa.”
The U.S. Embassy in Mogadishu said it was “unable to confirm whether an individual’s data is part of the breach” and urged anyone who had applied for a Somali e-visa to assume they may be affected.
However, in East Africa, countries such as Kenya and Uganda treat e-visa systems as critical digital public infrastructure, governed by law, oversight, and trust safeguards.
Kenya’s e-visa system operates under the Data Protection Act (2019), with independent oversight, security-by-design principles, and transparency norms. When disruptions occur, authorities typically issue public notices, limiting uncertainty and preserving trust.
Uganda follows a similar approach under its Data Protection and Privacy Act (2019), emphasizing centralized supervision, clear accountability, and risk management.
Somalia’s experience highlights what happens when digital services are built before governance structures are in place.
Key lessons include the need for enforceable data protection laws, independent oversight bodies, continuous audits, vendor accountability, and transparent public communication.
As investigations continue, the e-visa breach stands as a defining test for Somalia’s digital ambitions. Somalia has already deployed key Digital Public Infrastructure (DPI) systems such as the HUBIYE identity verification platform, the e-Aqoonsi digital ID app, and the Certificate Delivery System (CDS) to support secure national digital identity verification and access to public services.Millions of Somalis are expected to rely on digital public services in the coming years from identity systems to payments and social services.
For affected applicants like Mohamed, the question is simpler, “Will anyone be held responsible?”
Until that question is answered, Somalia’s digital border remains open not just to travelers, but to doubt.