Somalia’s electronic visa website lacks adequate security measures, potentially enabling malicious actors to download thousands of e-visas containing sensitive personal information such as passport details, full names, and dates of birth.
Al Jazeera verified this security vulnerability this week after receiving information from a source with expertise in web development. The source provided Al Jazeera with details about the compromised data and evidence that they had alerted Somali authorities to the vulnerability the previous week.
According to the source, despite their notification, there had been no response from authorities, and the security issue remained unresolved.
“Breach incidents involving sensitive personal data pose significant risks, including potential identity theft, fraud, and intelligence gathering by malicious actors,” stated Bridget Andere, senior policy analyst at digital rights group Access Now.
This security weakness emerges a month after officials announced they had launched an investigation following a ‘hacking incident’ that compromised the country’s e-visa platform.
This week, Al Jazeera successfully replicated the vulnerability identified. They were able to download e-visas containing sensitive information from numerous individuals within a brief timeframe, including the personal details of people from Somalia, Portugal, Sweden, the United States, and Switzerland.
Al Jazeera submitted inquiries to the Somali government regarding the system flaw but did not receive a response.
“The government’s implementation of the e-visa system despite clear unpreparedness for potential risks, followed by redeployment after a significant data breach, exemplifies how, disregard for public concerns and rights when establishing digital infrastructures can undermine trust and create preventable vulnerabilities,” Andere explained.
“It is concerning that Somali authorities have not issued any formal notification regarding the previous serious data breach,” she added.
“In such circumstances, Somalia’s data protection legislation requires data controllers to inform the data protection authority, and for high-risk incidents like this one, to also notify affected individuals,” Andere continued.
“Enhanced protections should apply in this case due to the involvement of individuals from various nationalities, thereby encompassing multiple legal jurisdictions.”
Al Jazeera cannot disclose technical specifics about the breach because the vulnerability remains unfixed, and revealing details could enable hackers to replicate the security breach. All sensitive information obtained during this investigation has been destroyed to protect the privacy of those affected, Al Jazeera stated.
Last month, the US and United Kingdom governments issued a warning about a data breach that exposed the information of more than 35,000 individuals who had applied for a Somali e-visa.
“The leaked data from the breach included visa applicants’ names, photos, dates and places of birth, email addresses, marital status, and home addresses,” stated the US Embassy in Somalia.
In response to this data breach, Somalia’s Immigration and Citizenship Agency (ICA) transitioned its e-visa website to a new domain in an attempt to enhance security.
The immigration agency reported on November 16 that it was addressing the matter with “special importance” and had initiated an investigation into the incident.
Earlier that week, Somalia’s Defence Minister Ahmed Moalim Fiqi had praised the e-visa system, asserting it had successfully prevented ISIL (ISIS) fighters from entering the country during an ongoing battle in northern regions against a local affiliate of the group.
Access Now’s Andere emphasized that governments often expedite e-visa system implementations, frequently resulting in insecure environments.
She noted that individuals find it challenging to protect themselves against such data breaches.
“Data protection and cybersecurity considerations are often the first to be neglected,” she stated. “It is impractical to shift responsibility to individuals because the data they provide is essential for the process in question.”
Source: Al Jazeera
