INEC probes ‘unauthorised’ access to database

The Independent National Electoral Commission (INEC) has commenced an investigation into allegations of unauthorized access to its Continuous Voter Registration (CVR) database and the subsequent leakage of personal information relating to a candidate in a recent political party primary election in the Federal Capital Territory (FCT). The commission disclosed this in a statement on Tuesday by National Commissioner and Chairman of its Information and Voter Education Committee (IVEC), Mohammed Kudu Haruna. INEC stated that the allegations, which have been circulating on social media and in sections of the mainstream press, are being taken seriously, adding that a thorough investigation has been launched to establish the facts surrounding the incident. According to the commission, authorized registration officers participating in the ongoing nationwide CVR exercise are granted controlled access to specific components of the registration system to enable them to register new applicants, process transfer requests, and update voter records. It explained that such access is restricted strictly to official duties and is promptly withdrawn at the conclusion of each daily exercise. The commission revealed that preliminary findings from its system audit trail have enabled it to isolate the specific user account through which the information was compromised. Relevant personnel have already been questioned, and the units connected to the incident are cooperating fully with the investigation. INEC is also examining all technical, administrative, and operational factors associated with the matter to establish responsibility, determine the circumstances surrounding the misuse of the credentials, and identify any breach of internal access-control protocols. However, the commission stressed that findings from its preliminary investigation indicate that there was no external breach of the CVR database, no hacking incident, and no unauthorized external infiltration of its information and communications technology (ICT) infrastructure. Rather, INEC confirmed that the information in question was pulled using valid user credentials assigned to internal personnel, which were subsequently leaked without authorization. “The incident under investigation relates to the unauthorized retrieval of a single, specific voter record and does not indicate any compromise of the commission’s broader voter registration infrastructure or the personal data of over 90 million registered voters,” the statement read. INEC reiterated its commitment to the security, confidentiality, and integrity of voter data, assuring Nigerians that it remains dedicated to institutional transparency and the protection of personal information. The commission also disclosed that the Department of State Services (DSS) has commenced an independent investigation into the matter. It emphasized that it will continue to cooperate with state security agencies and will not hesitate to refer anyone found culpable for appropriate criminal prosecution. INEC urged members of the public and the media to disregard ongoing speculation while the investigation runs its course, promising to make its final findings and disciplinary actions public at the conclusion of the probe.