New Security Flaw Threatens Somalia’s E-Visa System
A newly discovered vulnerability in Somalia’s electronic visa platform has raised significant alarms about the protection of personal information belonging to numerous travelers. This revelation comes just weeks after the country acknowledged a significant data breach that compromised information for tens of thousands of applicants.
Details of the Vulnerability
Reports indicate that the Somalia e-visa system lacks crucial security measures, making it alarmingly easy for unauthorized individuals to access and retrieve sensitive documents. The concern is that a significant number of visa files, which include sensitive data such as passport details, full names, and birth dates, could be downloaded with minimal effort.
Al Jazeera confirmed this security flaw following a tip from an individual with expertise in web development. This source demonstrated that the e-visa platform could be exploited to access substantial amounts of highly confidential information.
Unheeded Warnings and Independent Verification
The whistleblower provided evidence of the exposed data to Al Jazeera, revealing that they had previously warned Somali authorities about the vulnerability. Despite this alert, the source reported that there was no response from officials, and it appeared that the flaw remained unaddressed.
To verify the claims, Al Jazeera conducted tests replicating the reported vulnerability. In doing so, journalists were able to download e-visas belonging to multiple individuals within a short timeframe. The exposed data included applicants from various countries, including Somalia, Portugal, Sweden, the United States, and Switzerland.
Bridget Andere, a senior policy analyst at the digital rights organization Access Now, spoke on the severity of such breaches. She noted that exposing sensitive personal information poses serious risks, including identity theft and potential fraud. The consequences of these data breaches extend beyond mere technical issues; they impact individual safety and privacy in profound ways.
Context of Existing Cybersecurity Issues
This recent e-visa flaw surfaces in the wake of a previous incident, where Somali authorities had reported a major cyberattack on the same system just a month earlier. That breach had garnered warnings from the governments of the United States and the United Kingdom due to personal information leakage affecting over 35,000 applicants.
During that incident, the US Embassy in Somalia disclosed that compromised data included names, photographs, birthdates, and home addresses of the applicants. Following the breach, Somalia’s Immigration and Citizenship Agency (ICA) announced that they would be relocating the e-visa platform to a new internet domain, claiming it was part of their effort to enhance security. On November 16, officials stated that special importance was being placed on investigating the earlier breach. However, the new vulnerability suggests that foundational security problems may not have been adequately addressed.
Clash Between Security Claims and Legal Obligations
In the wake of the latest discovery, Somalia’s Defense Minister Ahmed Moalim Fiqi had publicly praised the e-visa system, asserting its role in combating illegal entry by ISIS fighters during ongoing military operations.
However, Bridget Andere raised concerns about the government’s approach. The decision to push forward with the e-visa system without proper safeguards, particularly after experiencing significant data breaches, showcases a troubling disregard for public trust and individual rights. She criticized the lack of formal notification regarding the serious breaches, which are mandatory under Somalia’s data protection laws.
According to these regulations, data controllers must report breaches to the national authority, and in high-risk scenarios, they must inform affected individuals. Andere emphasized that due to the multinational nature of the affected parties, enhanced protections should be enacted.
Al Jazeera has refrained from sharing specific technical details regarding the current vulnerability, as it remains unaddressed. Protecting the privacy of those affected by the breach took priority, leading to the destruction of any sensitive information obtained during the investigation.
This ongoing situation underscores the critical need for Somalia to strengthen its cybersecurity defenses to safeguard the personal data of its citizens and international travelers alike.
