INEC confirms insider accessed voter database without authorisation, denies external hack

The Independent National Electoral Commission (INEC) has confirmed unauthorised access to and the release of information from its Continuous Voter Registration database. This follows allegations on social media and in the press regarding a voter record linked to a candidate in recent Federal Capital Territory party primaries.

In a press statement signed by National Commissioner Mohammed Kudu Haruna and dated June 2, 2026, INEC was clear on one critical point: this was not a hack. No external breach occurred, no outside party gained unauthorised entry into the commission’s ICT infrastructure, and the personal data of over 90 million registered voters was not compromised.

What happened, according to INEC’s preliminary findings, was an insider access problem: valid credentials issued to an authorised registration officer were used to retrieve a specific voter record, which was then released without authority.

“Preliminary findings from the Commission’s audit trail so far indicate that there was no external breach of the CVR database, no hacking incident, and no unauthorised external access to the Commission’s ICT infrastructure,” the statement read. “Rather, the information in question was accessed through valid user credentials assigned to personnel participating in the ongoing CVR exercise but released without authority.”

During the ongoing nationwide CVR exercise, registration officers were granted controlled access to specific components of the system to register new voters, process transfer requests, and update records. That access is designed to be restricted to official duties and withdrawn once the exercise concludes.

In this case, INEC says its audit trail has already identified the specific user account through which the information was accessed. Relevant personnel have been questioned, and all connected units are cooperating with the investigation.

Also read: 2027 elections: INEC required to create permanent database of polling unit results

The Department of State Services (DSS) has also launched its own independent investigation into the matter. INEC said it will cooperate fully with all relevant security agencies and will not hesitate to refer anyone found culpable for legal action.

An insider problem Nigerian institutions like INEC know too well

The incident shows that INEC, like other Nigerian government institutions, has data integrity problems caused by internal rather than external threats. Security experts consistently point out that this type of internal attack is harder to detect and stop than typical cyberattacks.

Earlier this year, the Nigeria Data Protection Commission (NDPC) began investigating a possible data breach at Remita Payment Services and Sterling Bank. This investigation was prompted by reports that sensitive customer information, such as Bank Verification Numbers, Know Your Customer (KYC) documents, and transaction histories, might have been exposed.

Separately, in April, the Corporate Affairs Commission (CAC) reported unauthorised access to some of its internal systems, leading the NDPC to launch another investigation. In both incidents, a key concern was not only what data was accessed but also who initially had access to it.

The INEC incident shows a recurring issue: insider threats are harder to prevent than external attacks. This is because insiders have legitimate access, bypassing standard security measures like firewalls and intrusion detection systems. Protecting against insider threats requires different strategies: detailed audit trails, limiting user access to only what’s essential, and fostering a culture where misuse of credentials has serious consequences.

INEC says its audit trail worked; it identified the user account quickly. The question its investigation now needs to answer is whether the access controls were tight enough in the first place, and whether the person who used those credentials understood that releasing the information constituted a breach of their responsibilities.

The commission said it will keep the public informed of its final findings and any measures taken in response. Until then, it urged Nigerians to disregard speculation while the investigation continues.