Updated 10:36 a.m. Nov. 1, 2024.
On Friday morning the Secretary of State’s office announced it had completed password updates for all counties affected by the breach. State officials however do not plan to take other steps demanded by the Trump campaign. CPR News has reached out to the campaigns’ lawyers in Colorado to see if they intend to pursue legal action.
The original story continues below:
Former President Donald Trump’s campaign is demanding that Colorado counties whose voting equipment passwords were exposed online rescan all ballots that have been processed so far.
This comes after the Colorado Secretary of State’s office confirmed that a spreadsheet posted for months on the department’s website included a hidden tab with a list of BIOS passwords for the voting machines. Democratic Secretary of State Jena Griswold said a preliminary investigation indicates the posting was an accident and that it poses no immediate security threat.
However, the Trump campaign wants counties to reset their machines and start over on the processing of ballots.
“The Secretary of State must immediately identify the counties affected by the security breach, notify them, direct them to halt processing of mail ballots, and prepare to re-scan all ballots,” states a press release from the Trump-Vance campaign.
Under Colorado law, counties can open and scan ballots as they’re received, but don’t tabulate the results until 7 p.m. on election night. More than 1.5 million ballots have already been scanned for this election statewide.
The campaign’s attorney in Colorado submitted a letter to Griswold Thursday warning that the password information could have impacted the software update of the voting machines earlier this year.
“As you know, anyone in possession of current BIOS passwords and with access to the affected election systems would have the ability to alter the Trusted Build of those systems without leaving signs of tampering in the software,” said attorney Scott Gessler, a former Colorado Republican Secretary of State.
Griswold said the passwords posted online were “partial” and not enough on their own to access the machines’ operating systems which also requires physical in-person access. Counties require background checks, key card access, and limit the number of employees who can be near the tabulation machines, which are under 24-7 video surveillance.
“We have people in the field working to reset passwords and review access logs for affected counties,” Griswold told CPR News Wednesday. “This is out of an abundance of caution; we do not believe there is a security threat to Colorado's elections.”
Griswold said all indications suggested the passwords were posted accidentally. CPR News has learned from a source familiar with the investigation that the spreadsheet was created by someone who has since left the office, and posted by an employee who was unaware of the hidden tab.
Governor Jared Polis said his office is providing additional resources to help with changing the BIOS passwords, including “human capital, air and ground assets, and other logistical support to complete changes to all the impacted passwords and review logs to ensure that no tampering occurred.”
The Secretary of State’s office passed an emergency election rule to be able to appoint background-checked cybersecurity experts who work in other parts of state government to help with changing voting systems passwords.
Polis said the goal is to get the necessary passwords changed as quickly as possible with minimal impact on vote counting operations.
“We want to be able to provide assurances that all votes are counted fairly and accurately for this election and all elections, and are grateful for the work of the county clerks for overseeing this process with the state’s support,” said Governor Polis in a written statement.
The Colorado Republican Party first alerted the public to the posted passwords in a mass email on Tuesday. While the state was already aware of the situation, clerks were not told until after the email went out. Election officials interviewed by CPR have said because of the range of safeguards currently in place, they’re confident the state’s election systems remain secure.
The two companies that make Colorado’s election equipment, Dominion Voting Systems and Clear Ballot, also said the situation does not pose a direct security risk, and that the BIOS password is just one of the many controls required to maintain the security and integrity of voting system components.
Colorado’s Republicans are asking for more transparency into what happened and who is responsible for posting the hidden tab and whether the posting was intentional. On Thursday, state Sen. Kevin Van Winkle officially requested an emergency meeting of the legislature’s bipartisan audit committee to look into the matter. Van Winkle is a member of the committee, which is split equally between Republicans and Democrats.
“With the election in less than a week, the LAC [Legislative Audit Committee] may be the only available venue to independently and quickly determine if our election systems were ever compromised, to drive corrective action or simply serve as a platform to inform and ensure the public that our state’s voting systems are safe,” wrote Van Winkle in a letter to the committee’s chair, Republican Rep. Lisa Frizell.
To convene such a hearing will take a majority vote of the committee. Audit committee members, in a bipartisan vote in 2021, stripped the committee’s chair of the ability to unilaterally call hearings after a former chair used her power to convene a meeting questioning Colorado’s election integrity.
Frizell said it’s not the only letter that she’s seen requesting action; “There are a lot of other concerns out there not related to this incident.” She said the Secretary of State’s office has had systemic issues over the last few years.
“That starts to undermine the confidence of our Colorado citizens on our voting standards. I think these are reasonable concerns and Colorado voters deserve answers.”
Frizell said she’s crafting her own request for a more comprehensive audit beyond what Van Winkle asked for and will present it to the committee before the end of the year.
- Investigation continues into how Colorado voting machine passwords ended up online
- Secretary of State Jena Griswold says employee responsible for posting voting equipment passwords is gone
- What are Colorado’s voting machine BIOS passwords?
- A ballot’s journey: How your vote gets counted in Colorado
- Worried about your ballot? Here’s how to keep tabs on it
Republican House Minority Leader Rose Pugliese told CPR News she was doubtful an audit would happen. She and other House Republicans are calling for Griswold to resign.
“We are really focused right now on Jena, and the Secretary of State's failure in her office,” said Pugliese. “The people deserve better.”
One Democrat on the committee said he had not yet seen the audit request.
“As with any audit, I would need to see the letter from the requesting persons to better understand the scope and focus of what would be audited,” said Democratic Rep. Andrew Boesenecker, the committee’s vice-chair.
When asked by CPR News about whether there should be an audit, Griswold didn’t answer directly but said there would be an investigation.
“A personnel investigation will be conducted by an outside party to look into the particulars of how this occurred and will continue to address it moving forward,” she said.
Democratic Clerk Molly Fitzpatrick is the current chair of the Colorado County Clerks Association. She said transparency will continue to be critically important moving forward.
“I do think the public deserves to know what happened, but right now we just have to resolve it and make sure folks know the impact as a voter. And so that's what we're trying to catch up on now, is that communications front.”
