Colorado Secretary Of State Posts Voting Passwords Online, State GOP Seeks ‘Legal Relief’
The Colorado Secretary of State’s Office posted passwords to statewide voting systems online for anyone to access. The Colorado Republican Party, which uncovered the security breach, is seeking accountability.
The office of Democrat Secretary of State Jena Griswold, who tried but failed to kick former President Donald Trump off the ballot, posted an Excel file online with a “hidden” page of 600 passwords to voting systems in every county but one, according to an email the Colorado GOP sent on Tuesday. Anyone could “unhide” the page and view the passwords.
On Wednesday, the Colorado GOP said it is seeking “legal relief in the courts” and calling on state lawmakers for an emergency audit, saying Griswold engaged in a “cover-up.” Colorado voting is already underway, according to the secretary’s website, with more than 1.27 million votes already cast.
“This does not pose an immediate security threat to Colorado’s elections, nor will it impact how ballots are counted,” Griswold’s office claimed in a press release.
The secretary leaked “BIOS” or “Basic Input/Output System” passwords, which “prevent unauthorized access when the computer is booting.” This violates state election rules, which dictate that “civil servants at the Department of State will securely and confidentially maintain all BIOS passwords for voting system components.”
Griswold’s office claimed passwords can only be used in person and that “every election equipment component” requires two passwords — though the Colorado GOP said “this is not true for the BIOS.”
“We do not see this as a full security threat to the state. This is not a security threat,” Griswold claimed to KUSA.
Griswold initially told the outlet her office only released “partial passwords,” but when pressed, she admitted it leaked entire passwords. She said the state has “staff in the field changing passwords” and checking access logs.
But county clerks, employees, and third-party vendors with physical access to voting systems could have gotten the passwords, according to a Colorado GOP in a release on Wednesday.
“Confidential passwords were leaked to individuals with physical access. That is all anyone needs to know,” reads the release. “It demands more than a press release.”
The party published an affidavit on Tuesday stating that an individual had accessed the data multiple times from August to October, through an Excel file called “VotingSystemInventory” posted to the secretary’s website. After downloading the file, this user selected “unhide,” which revealed pages of BIOS passwords for every county except rural Las Animas County.
Seeking Accountability
The Colorado GOP sent an email on Tuesday outlining the issue. It said an “unnamed official” had “discretely removed” the publicly available passwords on Oct. 24. The passwords were “available for public consumption,” and the file was online “at least since August.”
“We hear all the time in Colorado from Secretary Griswold and Governor [Jared] Polis that we represent the ‘Gold Standard’ for election integrity, a model for the nation,” said Dave Williams, Colorado Republican Party chairman, in the release. “One can only hope that … the Secretary of State posting our most sensitive passwords online to the world dispels that myth.”
The email included a letter the party sent Griswold’s office on Tuesday, demanding she respond to its questions within 24 hours.
“It goes without saying how significant this is,” reads the letter. “We can only imagine that, since the discovery last week, you and your staff have been working tirelessly to remedy these vulnerabilities.”
The Colorado GOP asked Griswold to confirm the following: that election systems were not “accessed physically or remotely by any unauthorized person,” that “passwords have since been changed or were otherwise not current at any point while made public,” that new passwords meet “best practices” for security, that systems are on the latest software, and that systems meet standards for a “trusted build,” i.e., a secure system. The party also asked for a list of steps to fix vulnerabilities with estimated completion dates.
“We are confident that you understand the critical nature of having released these ‘skeleton key’ passwords to the world,” the party wrote. “As such, we fully expect that you will gladly and forthrightly provide us with all that we are asking.”
If Griswold does not offer proper assurances, the party said it is prepared to tell county officials to “decertify any election machines with a password on the released list” and make the secretary “secure the elections, as required by law.”
Griswold’s office claimed in her release yesterday that voting systems are stored in secure areas under surveillance and that “chain of custody” requirements track access. The office reported the issue to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which supposedly ensures infrastructure security but is also the federal government’s online censorship hub.
The secretary’s office claimed it is “working to remedy this situation where necessary,” but did not go into specifics.
The Colorado GOP responded on Wednesday to Griswold’s release and appearances in local media, raising several concerns, including the fact that “numerous individuals” unauthorized for BIOS access have physical access to voting systems.
“How is she able to assure the public that none of these hundreds or thousands of individuals accessed the BIOS over that large amount of time?” the party wrote.
Just last week, Griswold held a press conference about voter fraud in Mesa County, according to KUSA. There, she claimed there was “no reason to believe that there are any security breaches or compromises in the state of Colorado.”
The Federalist reached out to the Colorado GOP and Griswold’s office but did not receive a comment in time for publication.
For more election news and updates, visit electionbriefing.com.
Logan Washburn is a staff writer covering election integrity. He graduated from Hillsdale College, served as Christopher Rufo’s editorial assistant, and has bylines in The Wall Street Journal, The Tennessean, and The Daily Caller. Logan is originally from Central Oregon but now lives in rural Michigan.