DENVER — Passwords for Colorado's voting computers were visible online for months.
Colorado's Democratic Secretary of State Jena Griswold found out on Oct. 24. Her office only started changing the leaked passwords after the issue was made public.
Voting machines used by county clerks are listed on a spreadsheet on the Colorado Secretary of State's website. The machines are listed by serial number, county, model and vendor.
Until last week, there was a hidden tab at the bottom of the spreadsheet that, when unhidden, showed one of two passwords needed to make changes to each computer.
A spokesperson for Griswold said the office did not start having any of the passwords changed until the security issue became public on Tuesday. Her office also did not notify county clerks until it became public.
“It’s bad. Let me emphasize that we have other precautions in place, but the fact that a serious breach occurred is troubling,” Republican former Colorado Secretary of State Wayne Williams said.
Williams was Secretary of State before Griswold. The two even teamed up for a public service announcement about trusted sources in elections.
“Your county clerks are one of those sources and the fact they weren't involved, were not told, is troubling,” Williams said. “First, assure that the election is done correctly, and second, assure the public that the election is being done correctly.”
The leaked passwords are one of two needed to make changes to voting machines. Any changes require in-person access to the machines. In-person access is monitored 24/7 by video surveillance and tracked by badge ID logs.
In a statement on Wednesday, the Secretary of State’s Office said that it took “immediate action” to inform a federal agency that monitors security infrastructure, but the statement did not explain why county clerks were not notified.
“The Department took immediate action as soon as it was aware of this disclosure and informed CISA [Cybersecurity and Infrastructure Security Agency], the federal agency that closely monitors and protects the counties’ essential security infrastructure, and began conducting an investigation. Staff was on route to an affected county when this news became public,” the statement said.
The statement also said that an “outside firm” would look into the error of the passwords on a hidden tab but did not say if the computers or counties impacted would also be reviewed externally. On Tuesday, Griswold told Next with Kyle Clark that her office would investigate.
“Someone uploaded the wrong document and without taking out the hidden tab that had the BIOS passwords," Williams said. "That doesn't require a lengthy investigation because my presumption is, the Secretary of State's Office knows who the individual was. That individual made a mistake."
According to the Secretary of State’s Office, the attorney general does not have oversight authority. However, Griswold could voluntarily ask for oversight.
In a statement, a spokesman for Democratic Attorney General Phil Weiser said, “While the Attorney General’s Office cannot confirm or otherwise comment on investigations, we in Colorado take great pride in our election system being the gold standard in the nation. Any unlawful actions that damage public confidence in our elections should be taken seriously. With respect to the disclosure of election system passwords, it is critical that this matter be reviewed thoroughly, that every step is taken to ensure that our elections are safe, and that every vote is counted.”
The Attorney General’s Office said there would be no additional comment when asked if Weiser has asked to thoroughly review the issue.
A statement from Democratic Gov. Jared Polis said he had been briefed by several state agencies about election security. The statement included a line that said, “The Governor has been assured that the passwords have all been changed as well.”
When told by 9NEWS that was not the case, the governor’s office sent a new statement without that claim and without an explanation as to why it was removed.
Williams believes there should be an additional step beyond the passwords being changed.
“We need to have an inspection occur of each of the machines that the passwords were potentially disclosed,” Williams said.
Republican and Democratic county clerks who have talked with 9NEWS are not concerned that their voting machines have been or will be compromised, based on the security measures and additional passwords needed.
They have voiced concern over the lack of transparency and communication.
“Not doing it through that more transparent process is, I think, what the issue is,” Williams said.