DENVER — The leak of voting machine passwords led to something rarely seen in politics lately. It united elected leaders of opposing parties.
Last month, Next with Kyle Clark was the first to report that BIOS passwords for voting machines in Colorado were on a hidden tab on a spreadsheet accessible on the Colorado Secretary of State’s website.
That was on Oct. 29. The same day that county clerks were notified.
Colorado's Democratic secretary of state, Jena Griswold, knew about the password issue on Oct. 24.
The communication, or lack of communication, between the Secretary of State’s Office and county clerks is revealed in emails obtained by 9NEWS Investigates.
Emails from a Democratic and Republican clerk in different parts of the state.
Boulder County is one of 34 counties that had active voting machine passwords visible online from June until it was known on Oct. 24. Democratic Boulder County Clerk Molly Fitzpatrick learned about the issue on Oct. 29.
The Secretary of State’s Office said it had completed updating the passwords in all 34 counties by the end of Oct. 31.
On Nov. 4, the day before the election, Fitzpatrick wrote an email to the Secretary of State’s communications director and copied Griswold and several higher-ups.
“It will be one week tomorrow that Clerk’s [sic] have been on the front lines of defending the topic of the BIOS passwords being posted online with nothing from the communications team to support what we have been forced to do,” Fitzpatrick wrote. “At this point, my understanding and sympathy has turned into complete irritation and disdain at the lack of support we are getting to communicate to voters.”
She was concerned about communication between the Secretary of State’s Office and county clerks and not being able to direct voters to a frequently asked questions page.
Fitzpatrick ended her email, “At this point, I have no hope that you will be supporting Clerks with communications and I’m turning my attention elsewhere.”
It was Oct. 30 when Republican Fremont County Clerk Justin Grantham received a mass email from the Secretary of State’s Office letting him know that his county did not have active passwords online.
“My sincere apologies for keeping you all in suspense, but you are the group who did not have any equipment in the leak,” the email said.
On Nov. 4, Grantham sent a letter to Griswold saying she should resign if she could not fulfill two requests.
“First, when the investigation is over, I want the detailed report on how the passwords were leaked, who it affected, and your personal assurances this will never happen again during your remaining time in office. Secondly, I want an actual apology for everything that has gone down! If you can’t do either of these things, then I request you step aside and allow someone else to finish out the remainder of your term,” Grantham wrote.
He finished his letter with, “I cannot in good conscience trust you in this position and defend your office.”
At a hearing in front of the Joint Budget Committee (JBC) on Thursday, Griswold updated the password issue for the lawmakers who help determine her office’s budget.
“I am regretful for this error, but I want to be clear today, this never posed an immediate security threat, and the security of our voting equipment was verified,” Griswold said.
She repeated previous explanations that the BIOS password is one of two passwords for each voting machine and that having the password still requires in-person access to the computer. To gain access to a computer, you need to have badge access, which is logged and recorded, in a room monitored 24/7 by security cameras. And she told the JBC that no computer settings had been changed.
“We needed to determine the size and the scope of the issue and finalize our technical and outreach plan before sharing it to avoid fueling the major disinformation environment that surrounds elections,” Griswold said. “I regret that some clerks learned about the issue from a source that was not the department.”
Lawmakers on the committee pressed Griswold about the delay in notifying clerks.
“If you weren't outed by an outside group, would you have ever notified the clerks?” State Sen. Barb Kirkmeyer, R-Brighton, asked.
“Yes,” Griswold said.
“And would that have been within two days, three days, or a week? Like, when would it have been?” Kirkmeyer asked. “When did you think it would be appropriate to notify the clerks?”
“To be very clear, there was not an immediate security threat," Griswold said. "We have multiple layers of security, and we needed to gather the information about the scope of the issue and were still actively gathering that information at the time that the issue became public. I regret that the clerks learned about this issue from a party that was not us before we had completed our assessment.”
“Was the plan to contact the clerks once you had determined the scope of that breach?" State Sen. Jeff Bridges, D-Greenwood Village, asked.
“We were planning to determine the entire scope and then determine what our next steps would be,” Griswold said.
At the hearing, Deputy Secretary of State Chris Beall told the committee that a purchase order of $25,000 was made for an outside law firm to investigate the password leak. However, he said it could be less or more if the firm needs to subcontract for forensic computer analysis.
A secretary of state employee, who left before the password leak being known, created a spreadsheet of voting machines with a hidden tab that had the BIOS passwords on them. A different employee uploaded the spreadsheet. The Colorado Republican Party learned about the spreadsheet with the hidden passwords tab from Shawn Smith. In 2022, Smith, a self-proclaimed election denier, called for Griswold to be hanged for election fraud. The Colorado Republican Party sent out a mass email on Oct. 24 revealing the password leak.