The Independent National Electoral Commission (INEC) has initiated a comprehensive investigation in collaboration with the Department of State Services (DSS) following the unauthorized online release of personal voter information belonging to Nollywood actor and politician, Emeka Ike. The incident has sparked widespread concern over data privacy and security.
Background of the Leak
The controversy began when Lere Olayinka, media aide to the Minister of the Federal Capital Territory (FCT), Nyesom Wike, posted screenshots on social media containing sensitive registration data. On Saturday, May 30, Olayinka claimed via his X handle that Ike had transferred his voter registration from Imo State to the FCT. To substantiate his claim, Olayinka attached screenshots that displayed information restricted to INEC's administrative login portal.
Details of the Leaked Information
The leaked documents exposed several pieces of personally identifiable information about the actor, including his full name, profile picture, Voter Identification Number (VIN), unique application number, designated registration centre, and the exact date of his transfer application. This breach triggered public outrage, with many Nigerians demanding accountability over how a political aide gained backend access to private citizen data reserved strictly for electoral officials. In response, Emeka Ike threatened legal action against Olayinka for the severe privacy violation.
INEC's Response and Investigation
In a press statement released on Tuesday, June 2, INEC maintained that its central database remains secure and was not compromised by an external cyberattack. Instead, the commission attributed the leak to internal misuse of credentials. INEC stated that its audit trail from the preliminary investigation successfully identified the specific user account through which the information was accessed, firmly denying any external hack of the Continuous Voter Registration (CVR) platform.
Access Protocols During CVR Exercises
INEC explained that during nationwide CVR exercises, authorized Registration Officers are granted temporary, controlled access to the system to process new enrollments, record updates, and voter transfers. This access is legally bound to official duties and is mandated to be withdrawn once an exercise concludes. The commission emphasized that the incident involved the retrieval of a specific voter record and does not indicate any compromise of the broader voter registration infrastructure or the personal data of over 90 million registered voters.
Handover to DSS and Legal Action
To ensure accountability, INEC confirmed that the matter has been handed over to the DSS, which has opened a criminal investigation into the breach. The electoral umpire emphasized that it takes data privacy violations seriously and will enforce strict disciplinary and legal actions against any personnel found compromising its systems. The DSS has also commenced an independent investigation into the matter.
Full Statement from INEC
Read the full statement below:
"The attention of the Independent National Electoral Commission (INEC) has been drawn to allegations currently circulating on social media and in some sections of the media regarding the alleged unauthorised access to the Commission’s Continuous Voter Registration (CVR) database and the subsequent publication of information on a candidate in the recent primaries of a political party in the Federal Capital Territory.
The Commission takes this allegation seriously and has immediately commenced a thorough investigation to establish the facts surrounding the incident.
As part of the ongoing Continuous Voter Registration (CVR) exercise nationwide, authorised INEC Registration Officers were granted controlled access to specific components of the CVR system to enable them register new applicants, process requests for transfer of registration and update voter records where necessary. Such access is restricted to official duties only and is withdrawn at the conclusion of the exercise.
The audit trail from the preliminary investigation has enabled the Commission to identify the user account through which the information was accessed. Accordingly, relevant personnel have been questioned, and all units connected with the incident are cooperating fully with the investigation.
The Commission is also examining all technical, administrative and operational factors associated with the matter in order to establish individual responsibility and determine the circumstances surrounding the use of those credentials and identify any breach of internal access-control protocols before taking appropriate action against anyone involved.
Preliminary findings from the Commission’s audit trail so far, however, indicate that there was no external breach of the CVR database, no hacking incident, and no unauthorised external access to the Commission’s ICT infrastructure. Rather, the information in question was accessed through valid user credentials assigned to personnel participating in the ongoing CVR exercise but released without authority.
The incident under investigation relates to the retrieval of a specific voter record and does not indicate any compromise of the Commission’s broader voter registration infrastructure or the personal data of over 90 million registered voters.
The Commission wishes to state categorically that it takes the security, confidentiality and integrity of voter data with the utmost seriousness and remains committed to transparency, institutional integrity, and the protection of voters’ personal information.
Furthermore, the Department of State Services (DSS), on its own accord, has commenced an independent investigation into the matter. The Commission will continue to cooperate fully with all relevant security agencies and will not hesitate to refer any person found culpable for appropriate legal action.
Members of the public and the media are therefore urged to disregard unfounded speculations while investigations remain ongoing. The Commission will continue to keep the public informed of its final findings and any measures taken in response to the incident in due course."
