Colorado election equipment passwords were posted online in June, before primary
Election equipment passwords were improperly disclosed on the Colorado secretary of state’s website starting on June 21, meaning they were accessible online when Colorado’s June 25 primary election took place, according to Jena Griswold, the secretary of state.
The passwords previously were reported to have been exposed since at least early August.
Decision 2024: On-the-ground election coverage in Colorado and by local reporters in all 50 states. Fair. Fearless. Free.
Griswold disclosed on Tuesday that a document posted to her office’s website included a hidden but accessible worksheet containing Basic Input Output System — or BIOS — passwords. Her office said in a news release Monday that the staff member responsible for posting the spreadsheet had left their position “amicably” before state officials discovered the passwords were exposed.
“Through the Department’s assessment, it was determined that a former staff member created a spreadsheet that contained the passwords in a hidden tab,” the news release says. “Storing passwords in this manner is not in line with the Department’s required data security practices and training.”
Griswold’s office did not immediately respond to a request for comment on how the leak might have affected the primary election.
Griswold’s office removed the spreadsheet from its website immediately after it learned of the disclosure on Thursday, Oct. 24. A week later, eight staff members from the Colorado Department of State and an additional 22 state cybersecurity employees were dispatched to affected counties to complete the process of changing the passwords.
The Libertarian Party of Colorado filed a lawsuit Friday asking Denver District Court to order a hand count of general election ballots in affected counties. The election is Tuesday.
The secretary determined election equipment in 34 of Colorado’s 64 counties were affected by the leak. Griswold asserted that Colorado elections have “many layers of security” and voters will still be able to safely have their vote counted on Election Day despite the breach.
“Ensuring that Colorado’s elections are secure and accessible has been and will always be our top priority, which is why the Department of State, along with County Clerks and election workers across the state, address any and every potential risk to our elections with the utmost seriousness,” Griswold, a Democrat, said in a statement. “I am regretful for this error. I am dedicated to making sure we address this matter fully and that mistakes of this nature never happen again.”
Both Republican and Democratic county clerks have also said that Tuesday’s election is secure, particularly since a person must be physically present to use a BIOS password, and election equipment is kept in protected locations.
The secretary of state’s office consulted with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and Dominion Voting Systems after learning of the leak. Dominion machines are used in 62 counties. Staff also investigated web traffic to the subpage where the spreadsheet was posted and determined the data disclosure did not pose an immediate security threat.
The statement says the department first learned of the leak from “a voting machines vendor.”
An unnamed law firm will conduct an outside investigation of the breach to determine how it happened, how future leaks could be prevented and to recommend improved practices and procedures. Griswold’s office will release findings as allowed by law, and all staff will undergo additional cybersecurity training.
Colorado Newsline is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Colorado Newsline maintains editorial independence. Contact Editor Quentin Young for questions: info@coloradonewsline.com. Follow Colorado Newsline on Facebook and X.