The Colorado Secretary of State’s Office violated two state information security policies that contributed to the accidental release of some voting system passwords before this year’s election, according to a third-party investigation released Monday morning.
Denver attorney Beth Doherty Quinn found that the office violated one policy, regarding training individuals to ensure nonpublic information isn’t released, as well as another policy about reviewing data to ensure it doesn’t contain secure information before it’s publicly released.
Still, the 19-page report broadly absolved Secretary of State Jena Griswold and her staff of wrongdoing. Doherty Quinn wrote that “a series of inadvertent and unforeseen events led to the public disclosure” of the passwords on a spreadsheet posted to the Secretary of State’s website in June.
The passwords’ presence on a hidden worksheet in the file was not discovered by the state until late October.
The “substantial weight of the evidence demonstrates that the BIOS passwords contained in the hidden worksheets posted on the Secretary of State website were posted mistakenly, unknowingly and unintentionally because the (Voting Systems) Team was unaware the hidden worksheets existed,” Doherty Quinn wrote.
She offered seven recommendations for Griswold’s office to adopt, including the prohibition of using hidden worksheets, the storage of all passwords in digital “password safes,” and the implementation of tighter scrutiny for which information is posted to the secretary of state’s website.
In a statement released with the report, Griswold said her office is “committed to implementing (the) recommendations to ensure a situation like this never occurs again.” Griswold previously said she regreted that the information was published.
Doherty Quinn’s firm was hired by Griswold’s office last month to investigate the release of the passwords, which were discovered by a prominent election denier, Shawn Smith. Smith testified in early November that he learned of the passwords’ presence online on Oct. 24, the same day that Griswold’s office said it became aware of them.
The news was not announced until the Colorado Republican Party, led by another election-denier, announced the passwords’ publication on Oct. 29.
The passwords on their own were not enough to access or alter election equipment, and a Denver judge ruled last month that there was no evidence that election systems were accessed after the password leak. Staff from the Secretary of State’s Office removed the spreadsheet from its website and then traveled around the state to manually change any active passwords that were leaked.
“The investigator finds that this unique set of circumstances would have been difficult to anticipate,” Doherty Quinn wrote. “Further, on an organizational level, the Secretary of State/CDOS consistently took significant and appropriate measures to protect state information, including the BIOS passwords. ”
The 2024 election results in Colorado have been certified.
According to Doherty Quinn’s report, the passwords were initially pasted into a separate, internal spreadsheet by a former member of the office’s voting systems team. That employee, who left in spring 2023, told Doherty Quinn that she kept the passwords in a hidden tab as “scratch paper” to help in her work.
When the employee left, she did not communicate the existence of the passwords in the file. Another version of the file had been published before, albeit as a PDF that did not include the ability to access the hidden worksheets that included the passwords.
“Thus, (the former employee) had no expectation that the hidden worksheets would become public,” Doherty Quinn wrote.
But in June 2024, after the employee left, other staff decided to publish a more interactive version of the file that would be more user friendly. Those staff were unaware of the passwords’ presence, according to the report, and were not aware of a software function that would’ve allowed them to check for hidden tabs. Another employee, charged with reviewing material before it was published online, approved the file’s publication within a minute of it being requested.
The secretary of state has “no policy, no directive and no written procedure for approving a web request,” and the employee charged with reviewing the request received no training when he became an “authorized reviewer.” That employee understood his role, according to the report, to be a “mere formality with no actual review required.”
Two other policy violations occurred but did not contributed to the passwords’ publication, Doherty Quinn wrote. They included insufficient password security for the original internal spreadsheet and a failure of employees to review and sign the office’s computer policies.
Stay up-to-date with Colorado Politics by signing up for our weekly newsletter, The Spot.
Originally Published:
