IEBC denies server hacking claim, says BVR system secure

IEBC chairman Wafula Chebukati

Mr Wafula Chebukati, chairman of the Independent Electoral and Boundaries Commission.

Photo credit: File | Nation Media Group

The electoral agency Sunday refuted claims that hackers infiltrated its servers and obtained the personal details of at least 61,000 registered voters.

Earlier, the Directorate of Criminal Investigations (DCI) said it had arrested a 21-year-old fraud suspect said to have hacked into the servers of the Independent Electoral and Boundaries Commission (IEBC).

The suspect, identified by the DCI only as Kiprop, is said to be the brains behind a high tech mobile phone scam syndicate that has been stealing millions of shillings from M-Pesa agents across the country.

In a statement on Sunday, however, IEBC chairman Wafula Chebukati said these reports were not factual.

Mr Chebukati explained that the register of voters is kept in a Biometric Voter Registration (BVR) system, which he said has never been tampered with since it was installed eight years ago.

According to Mr Chebukati, the BVR system was designed to have its own isolated network making it difficult for hackers to infiltrate it.

“Since installation and commissioning of the system eight years ago, the BVR system that hosts the register of voters used during elections has never been hacked because the servers are not connected to the open internet,” the statement said.

“In addition, the rest of the commission's entire internal network is behind a high security firewall system.”

Possible sources

Mr Chebukati said the data in question could have been obtained from entities that acquired it through legitimate means.

The Constitution allows the IEBC to give part of the register of voters - for specific electoral areas - at a fee.

“The commission services numerous requests by various entities requiring the register of voters for specific electoral areas. These requests are serviced upon payment of certain fees and in accordance with privacy laws requiring personally identifiable information to be kept confidential.

In 2019, the Orange Democratic Movement paid Sh15,000 for the register for Kibra Constituency, Nairobi, during a by-election that followed the death of MP Ken Okoth.

The IEBC chair said: “What is currently being reported in the media is not data obtained through hacking of the BVR system but possibly from entities that may have legitimately obtained it from the commission through formal requests and upon payment of requisite fees.”

DCI's report

The DCI claimed Kiprop gained access to IEBC’s database and stole the personal details of 61,617 registered voters from a county in western Kenya.

The data found in his possession contains names of registered voters, their ID numbers and dates of birth.

According to DCI boss George Kinoti, fraudsters contact different wireless carriers and convince the customer service agents that they are the true owners of the lines.

Upon successful sim swapping, the suspect is granted full access to the victim’s online accounts.

Kiprop, believed to have previously worked for one of Kenya’s mobile phone networks, was arrested on Friday morning and a gunny bag full of Safaricom, Airtel and Telkom sim cards seized.

The suspect was arrested in Juja by sleuths from the Crime Research and Intelligence Bureau, supported by Safaricom’s fraud investigations team and security officers from the Jomo Kenyatta University of Agriculture and Technology.