On the eve of the court hearing, the secretary of state revealed when her office became aware of the improperly published passwords

This is an evolving story

The Colorado Secretary of State’s office was first alerted that passwords to many of the state’s 2,100 pieces of voting equipment had been posted online by the manufacturer of some of the equipment.

The state learned of the situation on Oct. 24, five days before the Colorado Republican Party sent an email to members describing the security breach.

The information is part of a new disclosure schedule released by the state ahead of a court hearing Monday afternoon, during which the Colorado Libertarian Party says all affected equipment must be decertified and ballots in those precincts counted by hand.

“As soon as we got the call, the staff picked it up and that’s when we started our planning,” Democratic Secretary of State Jena Griswold told CPR News Monday morning.

What they found were the current passwords to equipment in 34 of Colorado’s 64 counties were listed on a hidden tab in the spreadsheet which has been online since June. Visible portions of the sheet contained other information about the voting machines that Colorado must make public.

During that situation, state, local officials and equipment manufacturers stressed that BIOS passwords could only be entered into the machines in person, and that this type of voting equipment was kept in locked rooms under 24-hour video surveillance with limited access. verified personnel.

Griswold said that to her knowledge, none of the BIOS passwords have been published on the dark web or anywhere else on the Internet.

CPR learned last week that the spreadsheet, including the hidden tab, was created by an employee who quit the office earlier this year, and that a subsequent employee, apparently unaware of the hidden data, posted the spreadsheet online. On Monday, Griswold confirmed that the first employee had left peacefully, and that the second employee was still working for the secretary of state.

“As far as we understand, there is no evidence that the employees who posted the spreadsheet were aware of the hidden tab,” Griswold said.

The Secretary of State’s office contracted with the Denver law firm of Garnett Powell Maximon Barlow & Farbes to conduct an outside investigation of the situation led by attorney David Powell. Griswold said any potential ramifications for her staff members will come after that is over.

“There was an error and as a result we will be providing further training to staff and will be contracting with this third party law firm to further investigate how this happened, how it could have been prevented and any other recommendations to improve practices and procedures.” , Griswold said.

She said it is not department policy to store passwords in plain text in a spreadsheet.

“We do a lot of teaching and reinforcing that passwords should be stored in a password safe. We need passwords to be encrypted.”

Griswold also noted that in August, her office, along with the US Department of Homeland Security, conducted a risk assessment to find vulnerabilities in both internal and external websites and systems. A hidden tab could not be opened during this process.

Last Thursday, the state completed updating passwords for all affected active voting machines. The staff performing these updates also checked to see if any hardware settings were changed and found no security breaches.

Griswold faced waiver from county officials for not alerting them to the security breach until hours after the Colorado Republican Party sent its email. She continues to defend this decision.

She said her office initially did not know whether the passwords were still active, and that until there was a concrete plan to address the situation, releasing what happened “would be against cybersecurity best practices and would cause significant harm.” the risk of fueling a large environment of disinformation.”

It took several hours after the Colorado Republican Party released the information for Griswold’s office to fully grasp the scope of the constituents’ influence and then hold a meeting with the clerks who manage the county’s elections.

The affidavit says the right-wing activist discovered the vulnerability but did not report it to the state

Although the password situation was first disclosed by the Colorado Republican Party, party officials did not respond to media inquiries about when or how they first learned of it.

However, an affidavit signed by conservative activist Sean Smith says he found the hidden BIOS passwords tab on the Colorado Secretary of State’s website several times, first on August 8, and confirmed that it was still there on October 16 and 23.

Smith’s affidavit was included with his name redacted in a Republican Party press release. CPR News obtained the unedited version.

Smith is a founding member of the US Election Integrity Initiative (USEIP). The group, based in El Paso County, sent mass agitators to the outskirts of the state to find evidence of voter fraud after the 2020 elections. Smith has been a staunch supporter of MyPillow CEO Mike Lindell’s efforts to sow no confidence in the 2020 election. He has accused Griswold of election-related misconduct in the past offered to execute her.

“I would say overall it’s incredibly concerning that someone knew this information and didn’t tell us,” Griswold said.

Libertarians are asking the judge to resume manual vote counting

Despite assurances from Griswold’s office and election officials from both parties that Colorado’s general election remains safe, the Colorado Libertarian Party is filing a lawsuit against the secretary of state’s office.

party asks the judge decommission any voting machine linked to the password leak and require affected counties to restart the manual counting of all their ballots.

On Friday, the party filed a lawsuit against Griswold and Deputy Secretary of State Chris Beall. Both sides were in court for an emergency hearing Monday afternoon.

“By making these passwords available to the public, the Secretary breached her duty to ensure the integrity and accuracy of the upcoming general election in Colorado,” the complaint states.

The lawsuit also calls for the Colorado attorney general to investigate Griswold’s office.

CPR reached out to the AG’s office to ask if it was involved in the investigation into the breach, and the statement said, “This matter is part of a legal proceeding against the state, so the attorney general’s office cannot comment.”