Updated 9:09 a.m., Nov. 9, 2024.
The Denver District Attorney’s office has begun an investigation into how many of Colorado’s voting machine passwords ended up online.
Voting machine passwords for equipment in 34 of Colorado’s 64 counties were listed on a hidden tab on a spreadsheet posted on the Secretary of State’s website in June. The state removed the passwords on Oct. 24, after an election vendor discovered it. The public first became aware through an announcement by the Colorado GOP.
A spokesman for the Denver District Attorney’s office would not provide more information about the ongoing investigation beyond confirming it is underway.
It’s not the only prosecutor’s office with its eye on the data breach.
The El Paso County District Attorney’s office said in a press release Friday that it started looking into the situation after receiving two affidavits alleging violations of a state law.
In 2022, state lawmakers responded to the Tina Peters data breach by passing a law that “any person who knowingly publishes or causes to be published passwords or other confidential information relating to a voting system shall immediately have their authorized access revoked and is guilty of a class 5 felony.”
The El Paso County DA’s office said it will cooperate with the Denver investigation and provide resources as needed.
“This office will review the investigation conducted by the Denver DA’s Office to determine if further investigation should be conducted, and which office is best suited to complete any additional investigation,” concluded the statement.
The Secretary of State’s office has characterized the breach as accidental, and the office said they welcome the additional transparency that the investigation will provide to the public.
“The Department of State is supporting and working closely with the Denver District Attorney’s investigation into the staff’s posting of a file that included voting system component passwords,” said a written statement from the office.
According to someone familiar with the investigation, Secretary Griswold is not the target of the investigation and so far the DA has not yet found evidence of criminal activity. District attorneys in the 11th judicial district based in Salida and the 18th judicial district based in Centennial also received requests for an investigation, which the Denver DA is conducting.
Secretary of State Jena Griswold said, to the best of her knowledge, the spreadsheet, including the hidden tab, was originally created by an employee who left the office on amicable terms earlier this year and a subsequent employee, who was apparently unaware of the hidden data, posted the spreadsheet online. That person still works for the state.
The visible portions of the spreadsheet contained other information about the voting machines that Colorado is required to make public.
Throughout this situation, the state, local clerks and the equipment manufacturers emphasized that Colorado’s election equipment remains secure. The BIOS passwords, which allow access to a type of “firmware,” or low-level software that controls hardware functions, can not be accessed remotely. The passwords can only be entered into machines in person and those are stored in counties across Colorado in locked rooms, under 24-7 video surveillance, with entry limited to a small number of background checked staff.
What are Colorado’s BIOS machine passwords?
Griswold’s office has hired employment attorney David Powell, with the Denver law firm Garnett Powell Maximon Barlow & Farbes, to conduct a personnel investigation. She said she will release the results as permitted under the law.
“It is our understanding that there is no evidence that the staff that posted the spreadsheet was aware of the hidden tab,” Griswold told CPR News.
Democratic lawmakers interviewed by CPR News said they support an outside investigation, but that it’s was premature to comment on whether the scope of Griswold’s personnel investigation would satisfy their request.
“I believe that we need to review how something like this could happen,” said Democratic Speaker of the House Julie McCluskie. “I think it's wise to have that perspective from outside of the department, and certainly, I think it serves all of us to continue to see what more can we do to ensure election security moving forward.”
When the situation first came out, some Republicans on the legislature’s bipartisan Audit Committee called for an emergency meeting and requested an official audit.
However, McCluskie said she didn’t see that as the best approach.
“It felt like a political play to throw the Legislative Audit committee into the mix for the group to review this situation.”
Democratic Sen. Dafna Michaelson Jenet sits on the committee and doesn’t think an audit is needed at this time.
“An audit takes approximately a year to conduct. What we need now is an independent investigation, swiftly, to uncover what’s going on. If something untoward is uncovered, then a full audit would be appropriate.”
Michaelson Jenet said she would also need more details to determine whether the investigation conducted by Powell, the employment attorney hired by the Secretary of State’s office, constitutes a sufficient outside review.
“I have not looked into the credentials of who has been hired at this time,” said Michaelson Jenet.
Republican Rep. Lisa Frizell, the audit committee’s current chair, plans to present a proposal to audit the Secretary of State in the coming weeks. The committee is scheduled to meet in December.