A recently uncovered weakness in Somalia’s electronic visa system has triggered fresh alarm over the protection of travelers’ personal information, coming just weeks after authorities admitted to a large-scale data breach affecting tens of thousands of applicants. Findings indicate that the Somalia e-visa platform is missing basic security safeguards, allowing unauthorized access to and downloading of sensitive documents with little technical effort.

The vulnerability was confirmed this week by Al Jazeera following a tip from a source with professional web development experience. The source explained that flaws in the e-visa system could be exploited to extract large volumes of visa application files containing highly confidential data. This exposed information reportedly includes passport details, full names, and dates of birth, data that could be abused for criminal activities or intelligence purposes.

According to the source, evidence of the security lapse was shared with Al Jazeera, along with proof that Somali authorities had been formally notified about the vulnerability a week earlier. Despite these warnings, the source said there was no response from officials and no sign that corrective measures had been taken.

Al Jazeera independently confirmed the claims by recreating the flaw as described. During testing, journalists were able to download e-visa documents belonging to dozens of individuals in a short time. The affected records included applicants from multiple countries, such as Somalia, Portugal, Sweden, the United States, and Switzerland.

“Breaches involving sensitive personal data are particularly dangerous as they put people at risk of various harms, including identity theft, fraud, and intelligence gathering by malicious actors,” Bridget Andere, a senior policy analyst at the digital rights organization Access Now, said in comments to Al Jazeera. She added that such incidents go beyond technical shortcomings and can have long-term implications for personal safety and privacy.

This latest Somalia e-visa security issue emerges less than a month after officials announced an investigation into a prior cyberattack on the same system. That earlier breach drew warnings from both the United States and the United Kingdom. According to official alerts, personal data belonging to more than 35,000 Somalia e-visa applicants had been exposed. The US Embassy in Somalia previously said the leaked information included names, photographs, dates and places of birth, email addresses, marital status, and home addresses.

Following that incident, Somalia’s Immigration and Citizenship Agency (ICA) shifted the e-visa platform to a new web domain, stating that the move was intended to improve security. On November 16, the agency said it was treating the breach with “special importance” and confirmed that an investigation was underway. However, the emergence of a new vulnerability suggests that deeper security weaknesses may still persist.

Earlier the same week, Somalia’s Defence Minister, Ahmed Moalim Figi, publicly commended the e-visa system, saying it had helped prevent ISIL (ISIS) fighters from entering the country amid ongoing military operations against a regional affiliate in northern Somalia.

“The government's push to deploy the e-visa system despite being clearly unprepared for potential risks, then redeploying it after a serious data breach, is a clear example of how disregard for people's concerns and rights when introducing digital infrastructures can erode public trust and create avoidable vulnerabilities,” Andere said. She also voiced concern that Somali authorities had not issued a public notice regarding the serious data breach reported in November.

Under Somalia’s data protection law, organizations handling personal data are required to inform the national data protection authority when breaches occur. In cases involving high risk, particularly where sensitive personal data is exposed, affected individuals must also be notified. “Extra protections should apply in this case because it involves people of different nationalities and therefore multiple legal jurisdictions,” Andere added.

Al Jazeera stated that it could not publish specific technical details of the newly discovered flaw because it remains unpatched and could be exploited further if disclosed. Any sensitive data accessed during the investigation was destroyed to safeguard the privacy of those impacted.