Somalia's E-Visa system breached, exposing data of over 35,000 applicants

Somalia's electronic visa system suffered a significant data breach on November 11, 2025, exposing sensitive personal information of at least 35,000 visa applicants, including thousands of U.S. citizens and other Western nationals. 

The United States Embassy in Mogadishu confirmed the incident on November 14, 2025, citing widespread reports that unidentified hackers penetrated Somalia's e-visa platform, which had only been operational since September 1, 2025. 

Compromised data has been circulating widely on social media platforms, creating serious security concerns for diplomats, aid workers, military personnel, and international travelers. The cyberattack exposed sensitive visa applicant information, including:

• Names
• Passport photos
• Dates and places of birth
• Email addresses
• Marital status
• Home addresses
• Passport numbers
• Biometric identifiers (eye color, height)
• Payment transaction information

At least 35,000 individuals were affected by the breach, including approximately 2,298 U.S. citizens according to some reports. The leaked database reportedly contains over 125,000 visa applications with complete travel records accessible to anyone on the internet for weeks. 

The e-visa system's security vulnerabilities have been attributed to multiple factors, including weak infrastructure, poor authentication measures, and questionable operational practices. Initial reports suggest that sensitive data was stored on personal devices rather than within secured government infrastructure. 

The e-visa program is managed by a private company reportedly linked to the family of Somalia's president. A confidential security report obtained by media outlets revealed the system fraudulently overcharged travelers $287,808 through duplicate charges, with some paying up to $256 for a $64 visa. The system's terms of service contractually forbid refund claims or chargebacks, creating what critics describe as a payment system designed for exploitation rather than legitimate visa processing.

Both the United States and United Kingdom embassies issued urgent security alerts advising their nationals about the breach. The U.S. Embassy stated it could not verify whether any individual U.S. citizen's information had been compromised but advised all e-visa applicants to assume their data may have been exposed. The embassy recommended affected individuals monitor announcements from Somalia's Immigration and Citizenship Agency, check for suspicious activity, and consult Federal Trade Commission resources on data breaches. The UK Embassy warned that "this data breach is ongoing and could expose any personal data you enter into the system," urging British nationals to consider the risks before applying for visas. 

The breach has caused concern among Western diplomats, contractors, and security personnel stationed in Somalia. Several reportedly left the country amid fears their data may have been compromised.