INEC Chairman Prof Joash Amupitan
Independent National Electoral Commission (INEC) has disclosed that one of its staff members with legitimate access to its Continuous Voter Registration (CVR) database is now at the centre of an investigation into the unauthorised disclosure of a voter record belonging to a candidate in a recent party primary in the Federal Capital Territory (FCT).
INEC confirmed the development on Tuesday in a statement signed by National Commissioner and Chairman of the Information and Voter Education Committee, Mohammed Kudu Haruna, after allegations of a database compromise swept across social media and sections of the press.
According to the electoral umpire, the Department of State Services (DSS) is also now running a parallel probe into the breach.
The commission’s internal audit trail pointed squarely inward. “Preliminary findings from the Commission’s audit trail so far indicate that there was no external breach of the CVR database, no hacking incident, and no unauthorised external access to the Commission’s ICT infrastructure. Rather, the information in question was accessed through valid user credentials assigned to personnel participating in the ongoing CVR exercise but released without authority,” Haruna stated.
Registration officers conducting the nationwide CVR exercise had been granted controlled access to specific components of the database for the limited purposes of registering new applicants, processing transfer requests, and updating voter records — access the commission described as strictly restricted to official duties and withdrawable at the close of the exercise.
INEC said the audit trail had enabled investigators to pinpoint the specific user account through which the record was retrieved.
Relevant personnel had since been questioned, and all units connected with the incident were cooperating with the investigation, said Haruna.
The commission added that it was examining every technical, administrative, and operational angle of the matter to establish individual responsibility and determine whether internal access-control protocols had been violated.
On the reach of the breach, the commission said only a single voter record had been accessed, and the personal data of over 90 million registered voters remained secure. The integrity of the broader voter registration infrastructure, it said, was not in question.
The DSS, INEC disclosed, had launched its own independent investigation without prompting from the commission.
It urged the public and the media to set aside speculation while investigations continued. The commission also pledged to publish its final findings and any measures taken in response to the incident once they were concluded.
