INEC Denies Database Hack, Traces Voter Record Leak to Authorized User Account

The Independent National Electoral Commission (INEC) has dismissed claims of a cyberattack on its Continuous Voter Registration (CVR) database, saying preliminary investigations show that information recently circulated from the system was accessed through authorized user credentials and not through any external breach.

The Commission disclosed this in a statement issued on Tuesday by National Commissioner and Chairman of the Information and Voter Education Committee (IVEC), Mohammed Kudu Haruna, following reports alleging unauthorized access to voter registration records and the publication of information relating to a candidate in a recent political party primary election in the Federal Capital Territory (FCT).

According to INEC, an immediate investigation was launched after the allegations surfaced on social media and in sections of the media.

The electoral body explained that registration officers participating in the ongoing nationwide Continuous Voter Registration exercise were granted controlled access to designated components of the CVR system to enable them carry out official responsibilities, including voter registration, transfer requests, and updates of voter records.

However, the Commission said preliminary findings from its audit trail revealed that the information in question was accessed through a valid user account assigned to personnel involved in the CVR exercise.

“The audit trail from the preliminary investigation has enabled the Commission to identify the user account through which the information was accessed,” the statement said.

INEC added that relevant personnel have already been questioned, while departments connected to the incident are cooperating fully with investigators.

The Commission stressed that there was no evidence of hacking or unauthorized external access to its ICT infrastructure.

“Preliminary findings indicate that there was no external breach of the CVR database, no hacking incident, and no unauthorized external access to the Commission’s ICT infrastructure,” INEC stated.

It noted that the incident involved the retrieval and unauthorized release of a specific voter record and does not suggest any compromise of the broader voter registration database containing the records of over 90 million registered voters.

INEC said it is currently examining all technical, administrative, and operational aspects of the incident to establish individual responsibility and determine whether any internal access-control protocols were violated.

The Commission reiterated its commitment to safeguarding voter information and maintaining the integrity of Nigeria’s electoral data systems.

Meanwhile, INEC disclosed that the Department of State Services (DSS) has independently commenced an investigation into the matter.

The electoral body pledged full cooperation with security agencies and warned that any person found culpable would face appropriate legal consequences.

INEC also appealed to the public and media organisations to avoid speculation while investigations are ongoing, assuring Nigerians that the outcome of the probe and any corrective measures taken would be made public in due course.

The statement comes amid growing public concern over data privacy and the security of electoral records ahead of future elections and ongoing voter registration activities across the country.