On November 10, 2025, Somalia experienced one of the most consequential digital exposures in its recent history. A group claiming to have compromised the country’s eVisa platform released sensitive personal information online – passport scans, nationalities, email addresses, and application data belonging to foreign nationals. For days, these documents circulated freely across social media, downloadable by anyone with an internet connection.
Yet the most troubling truth is this: the incident was not caused by an attack at all. It was the result of a preventable misconfiguration – a door left wide open, despite warnings issued weeks earlier. As a cybersecurity professional who has worked extensively in digital governance and cyber operations across developing nations, I can say with confidence that this incident exposes deeper systemic weaknesses, not just a technical fault.
In its official press statement, the Immigration and Citizenship Agency of Somalia (ICA) acknowledged “an unlawful breach targeting parts of the passenger information system (e-TAS).” The Agency stated that upon discovery, it took “immediate measures to suspend and investigate the incident” with the goal of minimizing its impact.
The ICA emphasized that the Somali government has elevated the issue to the highest priority, appointing a national investigative committee composed of security institutions, international forensic specialists, and relevant government agencies responsible for data protection. The committee’s mandate is to determine the scope of the attempted breach, its origin, and its potential implications.
The Agency assured the public that once the official investigation concludes, a comprehensive report will be published detailing verified findings and corrective actions. During the investigation, individuals potentially affected will be notified directly through official government channels. ICA further urged both Somali citizens and international travelers to rely solely on its verified platforms for information, warning against misinformation.
In closing, the Agency expressed regret for the incident and reiterated that safeguarding personal data remains a top priority. It pledged to strengthen its digital security controls, including the deployment of modern data-protection standards and multi-factor authentication across all ICA services.
This is the government’s official position. But as cyber professionals know, official statements tell only part of the story.
According to internal records and independent verification, a critical vulnerability in the eVisa document storage system was identified in October 2025 – a full month before the breach became public. The warning was straightforward: passport scans and supporting documents were being stored in a publicly accessible directory without authentication or access controls. Anyone who discovered the location could download them.
By November 10, the predicted scenario unfolded. Sensitive passport data began spreading online. Researchers later confirmed that as of November 14, the exposed files were still accessible on the open web. Only after the data had circulated widely was the issue finally contained.
This timeline paints a picture of a preventable disaster rather than a sophisticated breach.
Foreign nationals applying for Somali visas upload deeply sensitive identity documents. The exposed data included: Passport scans, Full names, Nationalities, Contact addresses and application metadata.
This level of detail is a treasure trove for cybercriminals. Passport images alone can facilitate identity theft, fraudulent travel documentation, financial fraud, and targeted phishing. For diplomats, humanitarian workers, and international contractors – who frequently use Somalia’s eVisa system – the risk is even more serious.
Despite the significance of the exposure, no public notification was issued to affected individuals or foreign missions in the immediate aftermath. This lack of transparency compounds the damage by denying victims the chance to protect themselves.
While the misconfiguration caused the immediate breach, the underlying issue is far more concerning. It points to a broader structural problem within Somalia’s digital governance ecosystem, particularly around procurement and data sovereignty.
The eVisa platform is not operated directly by the Somali government but by a private contractor – one with limited experience in national-scale digital security. This is not an isolated case but part of a larger pattern:
• Immigration systems rely on foreign-hosted infrastructure.
• The national payment system is reportedly hosted in the United Arab Emirates.
• Electoral systems are said to be operated by companies based in Ethiopia.
Several of these vendors are new companies with limited history, operating outside Somali jurisdiction.
This creates a precarious environment where critical national data is stored offshore, under foreign legal frameworks, with vendors that have not undergone rigorous security vetting. The absence of a strong procurement framework means systems handling passport data, financial records, or election infrastructure may not meet international security standards.
From a cyber-operations standpoint, this is a strategic vulnerability with national-security implications.
Examining the incident through a cybersecurity lens, the failure was not technological—it was institutional. The real issues were: Weak access control management, Failure of vendor oversight, Inadequate monitoring, No incident escalation mechanism, Absence of internal accountability, No sophisticated attacker breached the system. The system was left exposed.
When a vulnerability is known, documented, and ignored, the problem is not the hacker—it is the governance structure itself.
Foreign travelers may lose confidence in Somalia’s digital services. Partner governments could issue travel advisories, creating diplomatic friction.
If diplomats or aid workers were among those exposed, the breach becomes a foreign policy issue, not just a technical one.
Once a system is revealed to be insecure, it attracts malicious actors. What happened due to negligence today may invite deliberate attacks tomorrow.
What Somalia must do now
To restore trust, Somalia must move beyond temporary fixes and toward structural reform. Immediate actions should include:
• Public notification to affected individuals and diplomatic missions
• Independent forensic investigation to determine scope and damage
• Creation of a National Cybersecurity Authority with regulatory authority
• Security-focused procurement policies, including vendor audits and certification
• Mandated hosting of critical national systems on Somali-controlled infrastructure
• Rebuilding trust requires transparency, accountability, and investment in digital sovereignty.
Final Thoughts: A Choice Point for Somalia’s Digital Future
This incident is more than a misconfiguration. It is a revelation of systemic gaps in governance, risk management, and national digital strategy. The warning signs were clear, the risks were known, and the harm was preventable.
Somalia now stands at a decisive moment. It can strengthen its digital infrastructure, enforce cyber governance, and honor the trust placed in its public systems.
Or it can continue a pattern of reactive responses, deepening vulnerabilities and eroding global confidence.
As a cybersecurity professional, I can say this with certainty: trust is not restored by statements—it is restored by action.
Bashir Dhore is a CISSP-certified cybersecurity expert with a Master’s in Cyber Operations and over 10 years of experience. He specializes in Digital Forensics and Incident Response (DFIR), currently leads DFIR teams, and advises organizations on incident response, threat analysis, and cyber resilience.