Key takeaways of Somalia e-Visa leak
A statement from the US embassy in Mogadishu warns that Somalia’s previous electronic visa portal has been penetrated by unknown hackers, jeopardising sensitive personal details of at least 35,000 applicants (US embassy statement). British authorities echo the alert, advising travellers to weigh the risk before submitting new information to the replacement platform now active.
Documents already circulating on the internet reportedly contain names, photographs, birth dates, marital status, residential addresses and email contacts. Diplomats stress that the breach remains active, meaning new entries could also be intercepted. Somali officials have not yet issued a formal comment, but the government quietly redirected visa traffic from evisa.gov.so to etas.gov.so earlier this month.
Background: digital visa race in the Horn
Somalia adopted an online visa regime to modernise border management and capture revenue from growing business and humanitarian traffic passing through Aden’s Gulf. The initiative also aligned Mogadishu with a continental shift toward contact-less travel documentation, a model popularised by Kenya, Ethiopia and Rwanda. Critics, however, have long questioned the robustness of Somalia’s cyber-defences and data-protection laws.
The dispute complicates an already fragile political landscape. Somaliland, the self-declared republic in the northwest, considers Somalia’s visa requirement an encroachment on its autonomy. Puntland, a semi-autonomous region in the northeast, has likewise argued that centralised fee collection disadvantages peripheral airports that lack digital infrastructure.
Timeline of the breach and platform shift
Cyber-security researchers tracking open-source forums first noticed batches of visa application files for sale in late October. By early November, screenshots displaying passports and family information were shared on social media, prompting foreign missions to seek clarification from Somali regulators.
Within days, the Somali government launched etas.gov.so without detailing the reasons for abandoning the older site. Embassy officials believe the migration aimed to seal the vulnerability, yet they note that the new portal relies on much of the same backend code, leaving questions about its resilience unanswered.
Stakeholders: Mogadishu, Hargeisa and beyond
The Somalia Civil Aviation Authority insists it remains the sole legal manager of the Mogadishu Flight Information Region—a corridor covering the entire national air-space. It has ordered airlines to ignore directives issued by any entity other than Mogadishu, warning of safety risks and possible legal action for non-compliance.
Conversely, Somaliland’s President Abdirahman Irro instructed carriers to obtain clearance from Hargeisa and declared that passengers could secure visas on arrival, dismissing the federal e-visa as unsafe. Somaliland’s Foreign Minister argues that leaked data might land in extremist hands, a claim intended to bolster Hargeisa’s separate identity and governance capacity.
Cybersecurity meets sovereignty in contested skies
The breach sharpens a long-running tussle over who controls Somali airspace. A 2017 agreement gave Mogadishu technical oversight, but local controllers in Hargeisa continue to direct flights, as evidenced by ministry footage showing staff rerouting aircraft. While celebrated in Somaliland, the practice places airlines in a legal grey zone between duelling authorities.
Major carriers—Turkish Airlines, Ethiopian Airlines and FlyDubai among them—have opted to demand the federal e-visa before boarding, citing International Civil Aviation Organization rules. Their stance leaves Somaliland-bound passengers stranded at departure gates if they forgo the federal authorisation, intensifying public frustration and exposing fissures in Somalia’s federal architecture.
Possible scenarios for travellers and airlines
If Mogadishu restores confidence in its platform, carriers are likely to maintain current boarding policies, limiting Somaliland’s leverage. A lingering perception of insecurity, however, could push airlines to seek bilateral understandings with Hargeisa to avoid route disruptions—an outcome that would test Somalia’s diplomatic capital.
A coordinated investigation with international cyber-crime units could speed technical remediation while signalling institutional maturity. Failure to act decisively risks reputational damage, discouraging investment and tourism precisely when Somalia seeks to showcase reforms ahead of renewed debt-relief talks with the International Monetary Fund. For now, caution remains the traveller’s best passport.
