The passwords were "mistakenly, unknowingly and unintentionally" posted online due to "a series of inadvertent and unforeseen events" and a "unique set of circumstances (that) would have been difficult to anticipate," the report concludes. But despite lauding the office for "consistently (taking) significant and appropriate measures to protect state information," the report finds that Griswold and her office breached Colorado Information Security Policies (CISP).
CISP requires that employees be trained to ensure that publicly accessible information does not include confidential information, like passwords, and to review content before posting it to confirm that confidential information isn't included. Griswold's office's employees were not adequately trained to do this, the report asserts, which led to the leak.
"While in all other respects reviewed by this Investigator the Secretary of State and (Colorado Department of State) ensured that the BIOS passwords were safe, in that regard I find that CISP 9.15.2 and 9.15.3 were violated," reads the report from the Baird Quinn law firm released on Monday, December 9.
This investigation was commissioned by Griswold's office, but it won't be the last examination of the password leak. The Denver District Attorney’s Office is actively investigating the incident with assistance from the 4th Judicial District Attorney's Office in El Paso County.
On the same day Griswold's office released the report, state lawmakers rejected calls to audit the Secretary of State's Office over the leak, with the four Democrats on the Legislative Audit Committee voting against the request and the four Republicans voting in favor of it, defeating the audit proposal with a tie.
For four months, hundreds of passwords for voting equipment were exposed on the Secretary of State's website, on an easily accessible hidden tab of a public spreadsheet. The Colorado Republican Party broke the news of the blunder on October 24, to the outrage of county clerks, who did not learn of the leak from Griswold's office (according to a deputy, they wanted to attempt to avoid a "media storm").
The revelation led to leaders of the state Republican Party demanding that Griswold resign, the Libertarian Party unsuccessfully suing to require a hand count of ballots in impacted counties, and even Democratic Governor Jared Polis calling for an independent investigation into the security breach.
The leak did not impact the security of Colorado's election, state officials say. Two passwords are required to make changes to a voting system, according to Griswold's office; the leaked passwords accounted for only half of that pair. In addition, the passwords can only be used in person, with physical access to the voting equipment — which is mandated to be stored in secure rooms that require ID badges to access and have 24/7 video surveillance.
A Denver judge denied the Libertarian Party's hand-count lawsuit on Election Day, November 5, finding no evidence that voting system components were compromised.
"A Series of Inadvertent and Unforeseen Events"
The passwords were posted online as a result of several miscommunications and oversights by voting systems employees, according to the report.The office used to keep its voting systems inventory, including equipment passwords, in a Microsoft Access database. But in August 2021, a former employee responsible for maintaining the inventory recommended that it be migrated into an Excel file instead.
In the Excel file, the former employee created hidden tabs that she used as "scratch paper" to help clean up the inventory on the visible tabs, says the report, whose authors interviewed past and present employees. The hidden tabs included the passwords. The former employee "never told anyone that there were hidden (tabs) in the" file, as they did not "serve any team-wide purpose," the report notes.
While she worked in the office, the voting systems inventory was only posted on the office's website as a PDF file, not an Excel file, with the passwords on the visible tabs removed before publication. When an Excel file is converted to a PDF file, hidden tabs do not show up in the PDF.
The former employee "had no expectation that the hidden (tabs) would become public," the report reads, adding that she "specifically stated that she does not believe she informed anyone on the (Voting Systems Team) about the hidden (tabs). The remaining members of the VS Team also never discovered the hidden (tabs) prior to October 24, 2024, when they were brought to their attention."
"No one on the VS Team appeared to know that (tabs) could be hidden," it adds.
Just over a year after the employee who created the hidden tabs resigned, another employee changed the voting systems inventory posted online from a PDF file to an Excel file this past June, "to make the list more user-friendly to the public" by making it sortable and more easily searchable. An employee within the office's IT department approved the request to swap the PDF file with an Excel file without reviewing what information the new file contained, the report claims.
The IT employee "approved (the voting systems employee)'s web request within one minute. (The IT employee) simply clicked on the approval button without looking at the request or file to be uploaded," the report notes, adding that the IT employee "received no training when he became an authorized approver. (The IT employee) understands that the approval step is a mere formality with no actual review required."
The Excel file posted online contained the passwords in the hidden tab created by the former employee, which hadn't been updated since the employee resigned in May 2023. The exposed information included current passwords for voting equipment in 34 Colorado counties.
The passwords were discovered in October by Shawn Smith, one of the state's most famous election deniers. Smith says he was tipped off by state Representative Stephanie Luck and failed House District 38 candidate Jeff Patty, who knew that Smith regularly downloads the office's spreadsheets and were informed by an unidentified party that there were hidden passwords in one of the files.
The report concludes that Griswold and her office violated Colorado Information Security Policies by not training the voting systems and IT employees to "ensure that publicly accessible information does not contain non-public information and to review the proposed content of information prior to posting."
The report notes that the former employee who put the passwords on the hidden tab did not violate any laws or policies because Excel files were never posted online during her employment and she "had no reasonable expectation that the file would ever be publicly disclosed in its native format."
Changes Are Coming, Griswold Says
To prevent this kind of incident from happening again, the report makes several recommendations for the Secretary of State's Office to improve security.They include prohibiting the use of “hide” functions for sensitive information within documents; requiring that all passwords be kept only in a password safe; implementing better training on the data protection features of computer software programs like Excel; creating a review process for web requests to post documents; and reviewing the transition process for departing employees.
The office says it has committed to implementing all of the recommendations "as soon as practicable."
“The Department of State thanks Baird Quinn for their thorough review of this matter," Griswold says. "We are committed to implementing their recommendations to ensure a situation like this never occurs again."
