A third-party investigation into how voting equipment passwords were posted online concluded that the Secretary of State’s Office failed to review documents before posting them online but that the mistake was “unintentional.”

“A series of inadvertent and unforeseen events led to the public disclosure of the BIOS Passwords,” the investigator, Baird Quinn, LLC, concluded.  

“However, the failure to review the posted document to ensure that non-public information would not be disclosed violates a Colorado Information Security Policy on publicly accessible content issued by the Governor’s Office of Information and Technology,” the investigator said. 

The third-party investigator made seven recommendations to minimize the risk of similar “inadvertent disclosure” in the future:

• Instituting a policy prohibiting the use of “hide” functions for highly sensitive or confidential information within documents.

• Establishing a requirement that all passwords of any kind, whether they be individual user log-in credentials or password information, such as the BIOS passwords, be kept only in a password safe — unless an exception to that policy is granted in writing.

• Requiring better training on the data protection features of the computer software programs used on a daily basis, such as Microsoft Excel and Word.

• Updating the “Acceptable Use Computing Policy” (AUP) so the policy on the use of the password safe and the policy on creating and managing passwords are single stand-alone policies, rather than policies contained at various places within the user ID and password section of the AUP.

• Requiring employees to review their AUP policy every year and sign that they have reviewed the document.

• Creating a substantive review process for the Elections Division (and possibly other divisions) for web requests involving posting documents to the department’s website.

• Reviewing the transition and exit processes for departing employees whose responsibilities involve handling sensitive or confidential information.

The company also recommended the Department of State hire a company that specializes in digital forensics “for the limited purpose of providing expertise” regarding metadata and other information associated with the Microsoft Excel program and specific Excel files, “including the Excel file uploaded to the Colorado Secretary of State website.”

Secretary of State Jena Griswold pledged to implement those recommendations.

Griswold had acknowledged that a spreadsheet posted online to the Colorado Secretary of State’s Office website “improperly included” passwords to some components of the state’s election system. Her announcement came on the heels of a release issued earlier by the Colorado Republican Party that said the spreadsheet had included a hidden tab that could be toggled to display the passwords. The breach affected elections equipment in 34 counties.

Griswold also told 9News that she became aware of the password leak on Oct. 24 but didn’t immediately inform county clerks about it until after the Colorado GOP publicized the breach.

The investigation by Baird Quinn revealed the information on that spreadsheet was posted online on June 24, 2024, the day before the primary election.

The system works this way.

Elections equipment affected by the breach have two passwords — a BIOS password maintained by the Secretary of State’s office and a second one under the control of the local county clerk. The spreadsheet released online contained just the BIOS passwords. In addition, in order to access the equipment to use both of those passwords, physical access to the equipment is required, and the person must complete a background check and possess an ID badge to enter the room.

It is a felony to access that equipment without authorization, according to Griswold. 

The investigator found that “this unique set of circumstances would have been difficult to anticipate.”  

“On an organizational level, the Secretary of State/CDOS consistently took significant and appropriate measures to protect state information, including the BIOS passwords,” the investigator added in the report. 

Griswold and her staff, with the help of Gov. Jared Polis and the state airplane, had flown around the state over a three-day period to update the election equipment passwords in the affected counties and completed that work on Oct. 31, just days before the Nov. 5 elections.

According to 9News, several bipartisan county clerks criticized Griswold for the failure. That included Republican Fremont County Clerk Justin Grantham, who called for Griswold to resign.

In an email to Griswold, Grantham wrote: “First, when the investigation is over, I want the detailed report on how the passwords were leaked, who it affected, and your personal assurances this will never happen again during your remaining time in office. Secondly, I want an actual apology for everything that has gone down! If you can’t do either of these things, then I request you step aside and allow someone else to finish out the remainder of your term.”

He added, “I cannot in good conscience trust you in this position and defend your office.”

Griswold appeared before the Joint Budget Committee (JBC) on Nov. 21 and was asked about the breach. A briefing issued by the committee on Nov. 13 said the Department of State may ask for additional funds to cover increased legal costs tied to the breach, but indicated that securing voting machines would be managed through existing appropriations. 

Griswold told the committee she’s regretful for the error but said it never posed an immediate security threat. Voting equipment worked the way it was supposed to for the election, she said.

“I’m dedicated to making sure it never happens again,” she said. 

The Department of Homeland Security, which was brought in to assist, determined the passwords never made it to the dark web, she said.

“I regret that some clerks learned about the issue from a source that was not the department,” she said. 

The state’s risk-limiting audit confirmed that the elections equipment worked exactly as intended, she said. She added that Homeland Security conducted risk assessments with the department and in August tested for vulnerabilities and found no issues, she said.