In a major election security oversight, Colorado Secretary of State Jena Griswold’s office left critical voting system passwords publicly accessible on the state’s website for months. The breach went unnoticed by Griswold’s team until October 24 but was only addressed after the Colorado GOP brought attention to the security lapse, prompting a scramble to change the compromised passwords.
The exposed information, affecting 63 of Colorado’s 64 counties, was available through a hidden tab in a publicly accessible spreadsheet on the Secretary of State’s website. The spreadsheet contained passwords necessary to access and modify voting machine configurations, along with data sorted by serial number, model, and county.
Although the information included only one of the two required passwords for full access, cybersecurity experts have underscored that any exposure of sensitive data is a significant security risk. Many experts argue that even partial password data could pose a threat if accessed by individuals with malicious intent.
The incident remained unknown to local election officials until the Colorado GOP publicly flagged the issue. Griswold’s office later stated that federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), were notified, and an internal investigation has since been launched. However, this delay in response has raised concerns about Griswold’s transparency and handling of the incident. Local election authorities were left in the dark for months, while passwords to access voting systems remained publicly accessible.
The Colorado GOP’s exposure of the security lapse prompted a wave of criticism. Many questioned why Griswold’s office had not been proactive in implementing basic cybersecurity checks to prevent the incident. Some Republicans have called for a more thorough investigation, while others argue that federal oversight should be mandatory to prevent future lapses. Critics claim this oversight reflects a lax approach to safeguarding sensitive election infrastructure in Colorado.
An interview with 9News anchor Kyle Clark highlighted the ongoing concern. When Clark questioned Griswold about whether the breach would involve an external investigation, she declined to provide specific answers, leaving her office’s approach to the issue under scrutiny. Griswold’s office, however, has insisted that the error was an isolated incident and stated that all affected counties have since been notified and are now taking steps to update their security protocols.
According to some cybersecurity experts, the situation could indicate a larger systemic issue in local election security management. Election systems across the United States have become increasingly vulnerable to potential breaches, especially as states update and digitize their infrastructure. With the increasing reliance on digital security, experts argue that best practices should include constant audits, comprehensive training, and a layered approach to access control—whereby system data and passwords are encrypted and regularly monitored.
This incident isn’t the first time voting security in Colorado has made headlines. In 2022, Griswold’s office was accused of not adequately responding to election security concerns raised by local officials, who pointed to gaps in training and infrastructure. These prior allegations have resurfaced in light of the recent password breach, prompting a broader discussion about the overall security protocols in place in Colorado’s election system.
Griswold’s team has since initiated a detailed audit of its website’s content and storage practices. To avoid similar incidents, they have also updated internal guidelines on handling sensitive election-related data and have restricted access to such data. But despite these steps, critics argue that the damage to voter confidence may already be done, particularly with the election season approaching. Public trust in the electoral process remains a top priority for both local and federal agencies, and incidents like this could potentially fuel concerns among voters.
For Colorado’s voters, this situation has intensified debate over the efficacy and safety of voting systems. Griswold, a Democrat, has historically positioned herself as an advocate for election integrity, but this incident has raised new questions about the transparency and thoroughness of her administration’s efforts to safeguard the voting process.
Ultimately, the incident in Colorado has sparked a renewed call for rigorous standards in election security. As digital voting technologies advance, the margin for error grows slimmer, and lapses like this underscore the need for increased cybersecurity measures, transparency in handling sensitive data, and proactive reporting to stakeholders. With federal, state, and local agencies now focused on protecting election infrastructure, Colorado’s breach serves as a reminder that lapses in oversight can compromise even the most advanced systems and that trust in the process is vital to a functioning democracy.
During an interview with 9News’ Kyle Clark, Griswold did not answer if the incident would be investigated by their office or if it involved a third party.
Kyle Clark: Is your office solely responsible for investigating this, or is there an outside agency involved?
Jena Griswold: This is a straightforward case of a civil servant uploading a spreadsheet with some passwords. Two sets of passwords are required for access, and we notified CISA immediately.
At the same interview, Clark turned to Griswold’s apparent double standard and reminded her of her previous statement, where she labeled the unauthorized release of any voting system password as a serious breach.
He noted her office’s firm stance in 2021 during a similar incident involving Tina Peters, who faced severe legal consequences for accessing voting systems in her attempt to safeguard election integrity.
Kyle Clark: You frequently warn of insider threats to elections. The U.S. Department of Homeland Security defines an insider threat as someone who uses authorized access, wittingly or unwittingly, to do harm. Did the actions of your office constitute an insider threat?
Jena Griswold: No.
Kyle Clark: Why do you say that?
Jena Griswold: For several reasons. First, this does not pose an immediate security threat to Colorado’s elections. Colorado has multiple layers of security. There are two unique passwords held by different parties to access voting equipment, and physical access is also required. These passwords must be used in person. Under Colorado law, we have secure rooms, restricted access, and 24/7 video recording of all election equipment. Additionally, we use paper ballots and conduct risk-limiting audits. Our elections are some of the most secure in the nation, and many of these security measures have been enhanced since 2021.
Kyle Clark: In 2021, when Mesa County’s voting system passwords leaked, your office stated that the disclosure of BIOS passwords alone constituted a serious breach. By that standard, did your office commit a serious breach of security protocols?
Jena Griswold: No. The situation in Mesa County was distinct. Tina Peters was just convicted, and we were actively investigating a broader breach in Mesa County.
Kyle Clark: But your office said the public disclosure of BIOS passwords alone constituted a serious breach. Now that your office has leaked passwords, does that constitute a serious breach?
Jena Griswold: The statement was part of a broader press release. The situation with Mesa County involved two sets of unauthorized passwords and a larger security breach. Our security measures have improved since then, with 24/7 surveillance and access badges.
Kyle Clark: The wording used by your office was that passwords alone constituted the breach. What have you done to determine whether those passwords were used by an unauthorized person?
Jena Griswold: We began an investigation immediately and have no reason to believe there are any breaches. Federal partners are assisting, and we are examining access logs and chain-of-custody records.
Kyle Clark: In 2021, you ordered Mesa County to stop using machines for which passwords were leaked. Why no similar order now?
Jena Griswold: In Mesa County, both passwords were used, and unauthorized access occurred. With our improved security measures, we have no evidence of a similar situation here.
The public outcry led Governor Jared Polis to release a statement saying he had been briefed on the incident, initially claiming that “all passwords have been changed.” When informed by 9NEWS that this was incorrect, Polis’s office issued a revised statement that removed the claim but failed to explain the initial inaccuracy.
A spokesperson for @GovofCO Polis said he’d been briefed on election security and was assured all the leaked passwords had been changed. When 9NEWS informed Polis’ office that some leaked passwords are still in use, his office sent a statement with that sentence removed.
— Kyle Clark (@KyleClark) October 31, 2024
Former Colorado Secretary of State Wayne Williams believes this oversight deserves more than just a simple password reset.
“We need to have an inspection occur of each of the machines that the passwords were potentially disclosed,” Williams said.
5 Comments
Ya prison time for Griswold!!!!!
correct .. enough of this b s … lock her up .
Just another incompetent DEI hire for the Democrat party. Fire them all. If I did something like that in the private sector I would no longer have a job.
fire her , on the spot .. done with this BS
Not only fire her…. Prosecute her like she did with “Tina Peters”!