Secretary of State details when her office learned of improperly posted passwords, ahead of court hearing

Kevin J. Beaty/Denverite
File – Secretary of State Jena Griswold at the University of Denver. Oct. 11, 2022.

This is a developing story

The Colorado Secretary of State’s office was first alerted that passwords to many of the state’s 2,100 pieces of election equipment were posted online by the maker of some of that equipment.

The state learned of the situation on Oct. 24, five days before the Colorado GOP sent an email to members describing the security breach. 

That information is part of a new timeline of the disclosure the state released ahead of a court hearing Monday afternoon in which the Colorado Libertarian Party is arguing that all affected equipment should be decertified and ballots in those counties tallied by hand.  

“As soon as we got the call, staff took it down, and then we started our planning,” Democratic Secretary of State Jena Griswold said in an interview with CPR News Monday morning.

What they learned was that current passwords to equipment in 34 of Colorado 64 counties were listed on a hidden tab on a spreadsheet that had been online since June. The visible portions of the sheet contained other information about the voting machines that Colorado is required to make public.

Throughout this situation, the state, local clerks and the equipment manufacturers have all emphasized that BIOS passwords can only be entered into machines in person and that this type of voting equipment is stored in locked rooms, under 24-7 video surveillance, with entry limited to back-ground checked staff.

Griswold said to her knowledge none of the BIOS passwords were posted on the dark web or anywhere else on the internet. 

CPR learned last week that the spreadsheet, including the hidden tab, was created by an employee who stopped working in the office earlier this year and that a subsequent employee, who was apparently unaware of the hidden data, posted the spreadsheet online. Griswold on Monday confirmed that the first employee left their job on amicable terms and the second employee still works for the Secretary of State. 

“It is our understanding that there is no evidence that the staff that posted the spreadsheet was aware of the hidden tab,” said Griswold. 

The Secretary of State’s office has contracted with the Denver law firm Garnett Powell Maximon Barlow & Farbes to conduct an outside investigation of the situation, with attorney David Powell leading it. Griswold said any potential consequences for members of her staff would occur after that wraps up. 

“There was a mistake, and because of that, we'll be doing further training with the staff and also contracting with this outside law firm to do a further investigation of how this happened, how it could be prevented, and any other recommendations of improvements of practices and procedures,” said Griswold. 

She said having the passwords stored in plain text on a spreadsheet wasn’t department policy. 

“We do a lot of training and reinforcement that passwords must be stored in a password safe. We need passwords to be in an encrypted setting.”

Griswold also noted that her office did a risk assessment with the U.S Department of Homeland Security in August to look for vulnerabilities of both their internal and external-facing websites and systems. That process failed to turn up the hidden tab. 

The state completed password updates to all affected active voting machines last Thursday. The staff who did those updates also checked to see if any settings had been changed on the equipment and found no security breaches.

Griswold has faced pushback from county clerks for not alerting them to the security breach until several hours after the Colorado GOP sent out its email. She continues to defend that decision.

She said, initially, her office didn’t know whether the passwords were still active, and that until there was a concrete plan for addressing the situation, revealing publicly what had happened would have been “contrary to cybersecurity best practices, and carried a significant risk of fueling a major disinformation environment.” 

It took until several hours after the Colorado Republican party made the information public,  that Griswold’s office had a full understanding of the scope of components impacted and then held a meeting with the clerks that run county elections.

Affidavit says right wing figure found vulnerability, but never told state  

While the password situation was first made public by the Colorado GOP, party officials have not answered questions from the media about when and how they first learned of it.

However, an affidavit signed by conservative activist Shawn Smith says that he found the hidden BIOS passwords tab on the Colorado Secretary of State website multiple times, first on Aug. 8, and confirmed it was still there on Oct. 16 and Oct. 23. 

Smith’s affidavit was included, with his name redacted, in the Republican Party’s press release. CPR News obtained an unredacted version.

Smith is one of the founders of the U.S. Election Integrity Plan (USEIP). The group, which is based in El Paso County, sent grassroots canvassers to neighborhoods around the state to search for voter fraud in the aftermath of the 2020 election. Smith has been a strong proponent of the efforts of Mike Lindell, the CEO of MyPillow, to sow distrust about the 2020 election. He has in the past accused Griswold of criminal conduct around elections and suggested she should be executed.

“I would say, just in general, it's incredibly concerning that someone knew this information and didn't tell us,” said Griswold. 

Libertarians ask judge to restart voting counting, by hand

Despite assurances from Griswold’s office and election officials of both parties that Colorado’s general election remains secure, the Libertarian Party of Colorado is taking legal action against the Secretary of State’s office.

The party is asking a judge to decommission any voting machine associated with the leaked passwords and require affected counties restart counting all of their ballots by hand. 

The party filed its lawsuit against Griswold and Chris Beall, the Deputy Secretary of State, on Friday. The two sides were in court for an emergency hearing Monday afternoon.

“In allowing these passwords to be available to the public, the Secretary has breached her duty to ensure that Colorado’s upcoming General Election is fair and accurate,” states the complaint.

The lawsuit also requests that Colorado’s Attorney General investigate Griswold’s office. 

CPR reached out to the A.G.’s office to ask whether it is involved in investigating the breach and was told in a statement, “This matter is part of litigation against the state, therefore, the attorney general’s office cannot comment.”