Passwords to voting machines in over half of Colorado counties were posted online before June primary
After partial passwords to voting machines in Colorado were discovered last week on a state website under a hidden tab of a spreadsheet, the Colorado Secretary of State’s Office shared Monday that the passwords were posted in June, just days before the state’s primary election.
The passwords, according to a statement issued Monday from the office of Jena Griswold, the Democratic secretary of state, were posted on a subpage of the Department of State’s website June 21, four days before the state’s June 25 Democratic and Republican primary elections. The office also shared Monday that after the initial discovery was made Oct. 24, the passwords were updated and the security of all affected and active voting systems components was verified by Oct. 31.
In total, voting machines in 34 of the 64 counties in the state were impacted by the password disclosure.
The department said it was informed of the incident by Dominion Voting Systems, which provides voting equipment for 62 of Colorado’s 64 counties. The department did not know immediately if the posted passwords were active, though they make up only one part of the security process for the state’s voting machines, which require two passwords.
In a joint statement Nov. 1, Gov. Jared Polis and Griswold said work to update the passwords and verify the machine security included eight state department staffers and another 22 state cybersecurity personnel.
While the department first publicly acknowledged the disclosure Oct. 29 after identifying which specific active voting system components were affected, a mass email from Colorado Republican Party Vice Chair Hope Scheppelman alerted many county clerks first to the issue that same day. With the disclosure made just ahead of Election Day, many clerks across the state said they were frustrated about the delayed communication from the secretary of state’s office.
“There are over 2,100 voting components across the state. Making this public without understanding the size and scope of the disclosure, and without having a concrete plan for determining our technical and outreach strategy, would run contrary to cybersecurity best practices and carried a significant risk of fueling the major disinformation environment that surrounds elections today,” the secretary of state’s statement said.
On Friday, the Colorado Libertarian Party filed a lawsuit against Griswold and her deputy secretary of state, asking the Denver District Court to decommission voting equipment and order a hand count of ballots in counties affected by the disclosure, a report from local outlet 9News said.
“In allowing these passwords to be available to the public, the Secretary has breached her duty to ensure that Colorado’s upcoming General Election is fair and accurate,” the complaint stated.
An emergency hearing on the matter was held on Monday afternoon, with several witnesses testifying before a Denver District Court judge. However, it was unclear when the judge would return an order.
‘I am regretful’
Through the department’s initial investigation — which it conducted with support from the Governor’s Office of Information Technology and Colorado Bureau of Investigation — it was determined that a former staff member created the spreadsheet with the passwords in a hidden tab, the statement said.
The staff member “amicably left the Department before this matter took place,” the statement continued.
The investigation also confirmed that no settings had been changed on any impacted active voting equipment. The department also said it conducted reviews of web traffic to the subpage as well as scans of the internet or dark web to look for signs of the passwords and determined that the disclosure did not pose an immediate security threat.
Following the password removal, the secretary of state consulted with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and is “engaging a well-regarded law firm to conduct an outside investigation into the event, determining how it happened, how it could be prevented in the future, and any recommendations for improvement of practices and procedures,” the statement continued.
Once the investigation is finalized, the department said it will release any findings as the law permits and require additional cybersecurity training with all staff, including password management and security procedures
“Colorado’s elections are safe and Coloradans will have their voices heard on Election Day. Our elections have many layers of security,” Griswold said in the statement. “Ensuring that Colorado’s elections are secure and accessible has been and will always be our top priority, which is why the Department of State, along with County Clerks and election workers across the state, address any and every potential risk to our elections with the utmost seriousness. I am regretful for this error. I am dedicated to making sure we address this matter fully and that mistakes of this nature never happen again.”