Somalia’s official electronic visa portal, evisa.gov.so, has been abruptly shut down following the exposure of sensitive personal data belonging to tens of thousands of international travelers—one of the most severe cybersecurity failures in the country’s recent history.
The breach, first revealed in late October by a Somali-American cybersecurity researcher, did not result from a sophisticated cyberattack but from a critical design flaw: application files were accessible to anyone who simply incremented sequential numbers in the website’s URL. No login or authentication was required, as reported by the Somaliland Chronicle.
Passports, full-face photographs, travel itineraries, and personal details of applicants from dozens of countries—including the United States, United Kingdom, Australia, Kenya, Colombia, and several European nations—were freely downloadable for weeks. Reports indicate that over 35,000 records were compromised, with data circulating on social media and potentially the dark web.
On Monday, November 10, the old portal was quietly replaced with a redirect notice directing users to a new platform, etas.gov.so, operated by the Immigration and Citizenship Agency (ICA). The notice offers options to track previous applications or submit new ones but makes no mention of the breach or the data exposure.
As of Tuesday afternoon, the Somali government has issued no official statement acknowledging the incident, detailing the scope of the compromise, or confirming whether affected individuals have been notified.
The silence has drawn sharp criticism from cybersecurity experts and diaspora communities. People who travel to Somalia—diplomats, aid workers, journalists, businesspeople—are already at high risk. Having their personal data openly available is unthinkable.
Travelers whose information was exposed now face potential identity theft, targeted phishing, or physical danger in a country where al-Shabaab and other armed groups continue to operate. Some security analysts warn that the leaked data could be used to track the movements of foreign personnel inside Somalia.
The Somalia Immigration and Citizenship Agency has urged applicants to avoid third-party visa websites and to contact embassies directly for assistance until the new system is fully operational. However, several users report that the replacement portal, etas.gov.so, appears to use similar design elements to its predecessor, raising doubts about whether the underlying vulnerabilities have been addressed.
International partners, including the European Union—which has provided technical assistance for Somalia’s digital migration—have yet to issue public comment on the incident. Diplomatic sources in Nairobi report no alarming updates, though some say embassies are quietly advising citizens to assume their data is compromised and to take precautionary measures.
The e-visa system, launched in August 2025 and made mandatory from September 1, mist people viewed it as a mechanism benefiting only Somalia’s leadership and close associates, with fees allegedly diverted to private accounts rather than the Ministry of Finance’s single treasury account—a violation of financial transparency rules.
The policy also ignited political tensions, particularly with the Republic of Somaliland. Mogadishu insisted that the e-visa applied to all travelers entering Somali territory, including those bound for Somaliland cities like Hargeisa. Many saw this as an attempt to restrict Somaliland’s immigration and aviation autonomy.
Somaliland swiftly rejected the system, declaring Somalia-issued e-visas “illegal” and unenforceable. Its Civil Aviation Authority banned airlines from requiring the federal e-visa for Somaliland-bound passengers and began enforcing overflight permits, escalating the airspace dispute.
Puntland also opposed the mandate, viewing it as federal overreach. The data breach has amplified these criticisms, with some describing the system as a “fiasco” rooted in corruption and illegitimate bureaucracy.
For now, anyone who applied for a Somalia visa through evisa.gov.so since its launch is advised to contact their national passport authority or data-protection regulator immediately and to monitor for suspicious activity.
The shutdown of the e-visa portal marks another setback for Somalia’s efforts to modernize public services and attract foreign investment, underscoring the persistent challenges of building secure digital infrastructure in a fragile state plagued by political divisions and governance issues.