 |
U.S. government confirms the data breach: 2,298 American citizens among 35,000 compromised, endangering U.S. lives. Confidential report reveals Mogadishu built a payment system designed to steal, with contractual terms forbidding refunds.
The United States Embassy in Somalia has officially confirmed Somalia’s e-visa system suffered a catastrophic breach exposing the personal data of at least 35,000 people, including 2,298 U.S. citizens whose passport details, photos, and travel patterns are now accessible to anyone with an internet connection—including al-Shabaab.
In a November 13 security alert, the U.S. Embassy warned American citizens that “multiple sources reported credible allegations that unidentified hackers penetrated Somalia’s e-visa system potentially exposing the personal data of at least 35,000 people, including possibly thousands of U.S. citizens.” The leaked data includes visa applicants’ names, photos, dates and places of birth, email addresses, marital status, and home addresses.
A confidential security report obtained by Somaliland Chronicle reveals the breach goes far beyond data exposure. The internal report, classified “CONFIDENTIAL – GOVERNMENT ONLY” and dated October 2025, documents how Mogadishu fraudulently overcharged travelers $287,808 while its public-facing terms of service contractually forbid victims from claiming refunds or initiating chargebacks.
The breach exposed 125,000+ visa applications, sensitive banking information, system-level administrator passwords, and 12,413 payment transactions totaling $794,432. The report’s findings, combined with Somalia’s official e-visa website terms, reveal a payment system designed for theft.
2,298 Americans on a Terrorist Kill List
As Chronicle reported on November 11, the breach created a terrorist targeting database. Complete travel records—passport details, photos, email addresses, and movement patterns—of 35,000 international travelers were fully accessible to anyone on the internet for weeks. Among them: 2,298 American citizens.
The breakdown of exposed nationalities reads like a directory of Western targets in a country where al-Shabaab has spent two decades killing foreigners. Kenya leads with 13,325 passport records exposed, followed by the United Kingdom with 3,027, and the United States with 2,298. The Netherlands accounts for 2,040 exposed records, Colombia 1,686, Sweden 1,679, Norway 1,058, and Canada 972. India, Finland, Ethiopia, Uganda, Pakistan, Denmark, Turkey, and Belgium each lost hundreds to thousands of passport records to the breach.
The confidential report warns that “these individuals’ travel patterns, passport details, photos, and contact information were fully accessible. This creates significant operational security risks for international personnel working in Somalia.”
How many of the 2,298 compromised Americans were traveling on official business remains unknown. The U.S. Embassy’s November 13 alert acknowledges it is “unable to confirm whether an individual’s data is part of the breach” but advises all e-visa applicants to assume they are compromised. The Somali government has yet to issue a public statement or notify victims.
The Payment Fraud: $288k Stolen, Zero Recourse
The internal report confirms the payment system levied $287,808 in duplicate charges against 1,519 customers, with some paying $256 for a $64 visa. Customers paid once. The system charged them again. And again. And again. Some were billed four times for a single visa. No verification. No fraud detection. No refunds.
The official “Terms & Conditions” on the evisa.gov.so portal ensure this fraud is permanent. The terms state: “…the application fee paid by the applicant is non-refundable under any circumstances.” Furthermore, the government explicitly blocks victims from asking their banks for help: “Payments made by credit, debit, or prepaid cards… cannot be reversed or recovered through chargeback procedures.”
The report reveals the system processed 12,413 transactions totaling $794,432—all without once verifying payments with Mastercard. The system didn’t check if transactions succeeded. The report notes: “System doesn’t verify with Mastercard.” Mogadishu built a billing system that doesn’t confirm whether it already took your money.
How many of those 1,519 victims were Americans? How many of the 2,298 exposed U.S. passport holders were among those fraudulently overcharged? The report doesn’t say. The Somali government hasn’t investigated. The U.S. Embassy’s security alert makes no mention of the financial theft—only the data exposure.
608 ‘Rapid-Fire’ Transactions: The Smoking Gun
The report identifies 608 suspicious “rapid-fire” transactions—payments processed in such rapid succession that they could only have been system-generated duplicates or automated fraud. Yet the system had no payment verification, no fraud detection monitoring, and no rate limiting to prevent rapid duplicate charges. The report categorizes the financial risk as “HIGH” and notes the system lacked “monitoring for suspicious transactions.”
The pattern repeats: payment IDs charged three to four times instead of once, customers paying $192-$256 instead of the standard $64 fee, and zero verification that transactions were legitimate government visa payments. The payment processor—Mastercard Payment Gateway Services—was effectively bypassed. Transactions weren’t categorized as official government visa fees but processed as generic service charges, stripping away consumer protections and making chargebacks contractually impossible.
Mastercard’s $288k Problem
The confidential report identifies the payment processor as “Mastercard Payment Gateway Services (MPGS)”—the same Mastercard that advertises “Zero Liability Protection” for cardholders and operates extensive fraud monitoring programs for merchants. Yet Mogadishu’s e-visa system processed $287,808 in fraudulent duplicate charges under Mastercard’s watch, with 608 suspicious “rapid-fire” transactions that should have triggered fraud alerts.
Mastercard’s own merchant rules require payment processors to monitor for excessive chargebacks and fraudulent transaction patterns. The company operates an “Excessive Fraud Merchant” program that places merchants into monitoring if they process more than $50,000 in fraud chargebacks. Somalia’s e-visa system exceeded that threshold nearly sixfold in duplicate charges alone.
Under standard card network rules, merchants bear liability for “card-not-present” transactions—the kind processed through the e-visa portal. When fraud occurs, the merchant is responsible for refunds, and their acquiring bank can impose fees, raise rates, or shut down accounts. But Somalia’s Terms & Conditions explicitly forbid refunds and chargebacks, creating a contractual trap that undermines card network consumer protections.
Did Mastercard conduct due diligence before allowing a foreign government with no functional financial oversight to process hundreds of thousands of dollars through its network? Did it review Somalia’s “no refund, no chargeback” terms? Did it notice when the same payment IDs were charged three and four times in rapid succession?
Mastercard’s “Zero Liability Protection” promises cardholders won’t be held responsible for unauthorized transactions. But the protection becomes meaningless when the payment processor enables a merchant to contractually block the dispute process. The 1,519 victims can’t invoke Zero Liability Protection because Somalia’s terms preemptively forbid the chargeback mechanism.
Mastercard has settled merchant fraud liability disputes before—most recently for $199.5 million in 2024 over improper liability shifts to merchants. The company now faces questions about whether it bears responsibility for facilitating fraud by a government merchant that openly advertised its refusal to honor basic consumer protections. Every one of those $287,808 in fraudulent charges generated processing fees for Mastercard.
A “Sovereign” System on a Shared Florida Server
The report confirms Somalia’s entire sovereign immigration database is not located in Somalia. Mogadishu hosts it on a shared cPanel server physically located in Tampa, Florida, operated by Liquid Web, L.L.C., based in Lansing, Michigan. The hosting environment is shared, meaning multiple unrelated websites occupy the same physical server.
By choosing US-based shared hosting, the Somali government has violated its own Data Protection Act, which governs cross-border transfer of citizens’ data. Somalia’s most sensitive immigration records—including those 2,298 American passport holders—are now subject to U.S. legal jurisdiction. A review of the e-visa portal finds no Privacy Policy. American travelers, UN officials, and UK diplomats who used the system were never informed that their data—including passport scans, biometric photos, and travel itineraries—would be stored, unsecured, on a shared server in Tampa.
Total System Compromise: Passwords Published Online
The report confirms the system’s database passwords were “publicly accessible to anyone on the internet” and that visa records could be accessed by “simply changing numbers in the web address”—no login, no authentication, no security. The system used sequential numbering for visa applications, meaning anyone could access the entire database by incrementing a single digit in a URL.
The report identifies five critical vulnerabilities: system files publicly accessible, unrestricted file upload allowing malicious code execution, missing access controls on visa records, payment system vulnerabilities resulting in $287,808 in duplicate charges, and weak authentication on administrative accounts. Each vulnerability is rated “CRITICAL” except the last, which merits “HIGH.” The system had 73 database tables fully exposed, containing 125,000+ visa applications, 34,000+ passport records, 27,000+ email addresses, 123,000+ phone numbers, 20,000+ biometric photos, and 12,400+ payment transactions.
This digital collapse mirrors a physical one. Staff at Mogadishu’s Aden Adde International Airport remain in full work stoppage over unpaid wages and maltreatment by the Turkish firm Favori LLC. The government that cannot pay its airport workers operates an international fraud scheme that has drawn an official warning from the United States government.
Washington Confirms the Breach—But What Can It Do?
The November 13, 2025 U.S. Embassy security alert marks the first official acknowledgment by a Western government of the breach. The alert states: “On November 11, 2025, multiple sources reported credible allegations that unidentified hackers penetrated Somalia’s e-visa system potentially exposing the personal data of at least 35,000 people, including possibly thousands of U.S. citizens.”
The embassy advises American citizens who applied for Somali e-visas to assume their data has been compromised, monitor announcements from the Somali Immigration and Citizenship Agency, and consult Federal Trade Commission resources on data breaches. But the alert is silent on what legal action the United States can take against a foreign government operating a fraudulent data operation on American soil.
Under the CLOUD Act of 2018, U.S. law enforcement has explicit authority to compel U.S.-based technology companies to provide data in their “possession, custody, or control” regardless of where that data is stored. While Somalia is the nominal controller of the e-visa data, the physical servers are operated by Liquid Web, L.L.C., a U.S. company subject to U.S. jurisdiction. The FBI could, in theory, seize the servers, secure the data, and conduct a criminal investigation into the fraud without Somalia’s consent.
Moreover, Executive Order 14117, signed by President Biden in February 2024, explicitly addresses the threat posed when foreign governments store Americans’ “bulk sensitive personal data” on U.S. infrastructure. The order finds that such arrangements pose “an unusual and extraordinary threat” to national security. While Somalia is not currently designated as a “country of concern” under the order, the exposed data of 2,298 Americans—including potential government personnel—and the demonstrable security failures could trigger Department of Justice review.
The State Department’s Level 4 “Do Not Travel” advisory for Somalia remains in effect due to crime, terrorism, civil unrest, health issues, kidnapping, and piracy. Americans must now add to this list: state-sponsored data theft and financial fraud—hosted on American servers, subject to American law.
The Silence of Western Allies
The United States stands alone in its public acknowledgment of the breach. The United Kingdom, whose 3,027 citizens had their passport data exposed, has issued no public warning. The European Union, which provided technical assistance for Somalia’s digital migration, has remained publicly silent. The Netherlands, with 2,040 compromised passport holders, has said nothing. Sweden, with 1,679 exposed citizens, has offered no alert. Norway, Canada, Australia—all silent.
According to diplomatic sources cited by multiple outlets, embassies in Nairobi are “quietly advising” and “privately warning” citizens to presume their data is compromised. But quiet advice and private warnings do not protect aid workers in Mogadishu or diplomats traveling to Somalia. They do not notify the thousands of Europeans, Canadians, and Australians whose passport photos and travel itineraries are now accessible to al-Shabaab. They do not demand accountability for the $287,808 stolen through fraudulent duplicate charges.
The British Embassy in Mogadishu maintains no public advisory on the breach. The UK Foreign, Commonwealth & Development Office’s travel advice for Somalia warns of terrorism, kidnapping, and piracy but makes no mention of the exposure of British passport data. The EU, having funded Somalia’s digital transformation, has not informed European citizens that their investment produced a terrorist targeting database hosted on a shared server in Florida.
The Questions Washington Must Answer
How many of the 2,298 compromised Americans were traveling on official business? Were U.S. government personnel required to use this system? Has the State Department notified all 2,298 affected American citizens by name? Why was Somalia’s e-visa system certified for use by international travelers without basic security audits?
And critically: will the U.S. government use its legal authority over the Tampa-based servers to seize the data, investigate the fraud, and demand restitution for Americans who were overcharged? Or will it issue security alerts and move on?
Mogadishu quietly replaced the evisa.gov.so portal with a new platform, etas.gov.so, on November 10. The old system redirects users to the new site with no mention of the breach or data exposure. Early analysis suggests the replacement system shares concerning structural similarities with its predecessor. The Somali government has issued no official statement acknowledging the incident, detailing the scope of the compromise, or confirming whether affected individuals have been notified.
The Reckoning
Mogadishu has endangered 2,298 American lives, along with thousands more UN workers, British diplomats, and Western aid personnel, while simultaneously operating a “no-refund” scam to steal their money. The breach exposed 35,000 records from 145 countries. The fraud stole $287,808. The contractual terms ensure victims cannot recover a cent.
And it all happened on American soil, under American jurisdiction, using American infrastructure.
The fiction of a functioning Somali state has cost 35,000 people their security, their privacy, and their money—with official confirmation from Washington that 2,298 Americans are among the victims. The question remains: can the world afford to continue funding a regime that robs and exposes its own allies—including the United States—while operating its criminal enterprise from a server farm in Florida?
