Somalia’s e-visa breach

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

HIGHLIGHTS

Somalia’s e-visa breach 

This week, Somalia’s e-visa system coughed up the dataset of 35,000+ people who have used the platform before, including, as many media outlets covered it, Brits and Americans (eye roll). 

A few weeks ago, Somalia’s defense minister praised the portal for its effectiveness in keeping out insurgents, which was a key reason for its development. In September, Somalia launched its fresh-off-the-press e-visa platform for security and economic reasons. ‘‘We are using this system to make sure nobody enters or leaves the country without being checked, and without us having their information,’’ Director-General of the Somali Immigration and Citizenship Agency, Mustafa Duhulow, told TRT Africa shortly after launch.

Well, what happens when you do not thoroughly consider the security of a tool meant to improve security? You get something cybersec nerds call an Insecure Direct Object Reference (IDOR) vulnerability, a kind of vulnerability that causes a system to not properly check if a user has permission to access a specific object, like a file, a database record, or a user profile. Attackers can then exploit this by manipulating direct references in a request, such as changing a user ID in a URL, to gain unauthorized access to sensitive information or perform unauthorized actions. 

Usually, by law, systems like this pass through a standardization body before deployment. In Somalia, that would be the National Communications Authority (NCA), under which the Somalia Computer Emergency Response Team/Coordination Center (SomCERT/CC) was established (in 2019). SomCERT's mandate is comprehensive: to act as the single point of contact for government, ISPs, telecom operators, and citizens for reporting cyber incidents, and to develop, evaluate, and certify the security of IT products and systems, including providing guidance and introducing regulations. 

SomCERT holds a constitutional mandate to secure government platforms and check if that security exists on paper. So, what happened? 

The effective maturity and enforcement capability lag far behind the mandate. Somalia's cybersecurity capacity has been consistently identified as fragile, suffering from a historical lack of a unified national cybersecurity strategy (though one has been drafted) and resource constraints. The country has been working with international partners, like the World Bank and the University of Oxford’s Global Cyber Security Capacity Centre, to perform a Cybersecurity Capacity Maturity Model (CMM) review to identify critical gaps. This process confirmed a deficit in incident response capabilities and limited protections for digital critical infrastructure. So, while the framework for demanding platform security exists, the institutional and technical muscle to perform consistent, deep security audits, enforce compliance on third-party contractors, and swiftly penalize negligence is still developing.

Another breach in Kenya

In mid-November, just days after the Somalia e-visa chaos, Kenya’s digital infrastructure took a coordinated hit. Multiple government websites, including those for the Ministries of Interior, Health, and Education, were either knocked completely offline or defaced. Chatter and official government notices mentioned a group called PCP@Kenya.

"PCP@Kenya" is probably just a digital handle, not a registered corporation. But the attribution itself is fascinating because of what it isn't. The attack wasn’t claimed by a known financial ransomware group or by the usual suspects with clear regional beef, like Anonymous Sudan. This suggests that a political motive and narrative return was being sought. The defaced pages displayed vile, extremist messages, specifically neo-Nazi slogans like "Heil Hitler" and "White power worldwide."

Never say never, but if you're a hacker group from the Horn of Africa naming yourself PCB@Kenya, your internal monologue probably isn't "We need to promote the Third Reich." It might, however, be: "How do we get the biggest, most damaging headline possible?"

Kenya, as always, is constantly trying to arbitrage the cost of infrastructure vs. the risk of getting hit. In June 2023, Anonymous Sudan hit eCitizen, Kenya’s citizenship and visa portal. 

Until the internal political and economic pain of a massive, embarrassing breach demonstrably exceeds the operational cost of continuous, high-grade security, the market will remain profitable for the attackers.

FEATURE

• The Africa Taskforce on Child Online Protection is a significant, continent-wide initiative to address the risks associated with the rapid surge of children accessing the internet. This taskforce, launched as a partnership between the GSMA (representing mobile operators), UNICEF, and a coalition of government, private, and civil-society stakeholders, is the first dedicated, multi-stakeholder platform for child online protection in Africa. Read more here

HEADLINE

• Ghana–Nigeria ties in tackling human trafficking & cybercrime

• Cybersecurity, Illicit financial flows, and achieving Agenda 2063 in Africa

• Meta and partners complete core 2Africa subsea cable

• Nigeria: Remita warns Nigeria, African nations risk digital colonisation without data ownership

• Mali: Orange Mali raises $92.5 million to speed up digital access expansion

• Wingu Africa launches cloud exchange platform in Tanzania

• Data and sovereignty: Burundi takes a key step in its digital transformation

• Presentation of the draft law on cybersecurity to the National Assembly of Djibouti

• Inside Africa’s new child online protection taskforce

• Nigeria’s AI bill puts control first, but at what cost to innovation?

• Senegal orders municipalities to adopt a secure, state-approved system for citizen data

• Algeria, UK sign electronic fingerprint analysis agreement

ACROSS THE WORLD

• Starlink’s shadowy role in global scam empires exposed by DOJ seizures

• Spain to investigate Meta for alleged Android privacy breaches

• Ericsson begins legal action against Transsion over patent agreement delays

OPPORTUNITIES

• Applications are open for the 2026 Internet Society Youth Ambassador Program 

IMAGE OF THE WEEK

See you next week.