Passwords for Colorado’s voting systems were online for four months, Colorado Secretary of State Jena Griswold said in a Nov. 4 statement.
The public was not informed about the security problem until Oct. 29, five days after Griswold’s office said it discovered the issue. The Colorado Republican Party first informed the public about the situation.
“Making this public without understanding the size and scope of the disclosure, and without having a concrete plan for determining our technical and outreach strategy, would run contrary to cybersecurity best practices and carried a significant risk of fueling the major disinformation environment that surrounds elections today,” the secretary of state’s office said.
The passwords were for some voting system components. Officials say they aren’t enough by themselves to access a system. The passwords can only be used when people access the system in person, and voting equipment, under state law, must be stored in rooms that require a secure identification badge to enter.
Colorado officials said they since have changed all the passwords.
“Colorado’s elections are safe and Coloradans will have their voices heard on Election Day. Our elections have many layers of security. Ensuring that Colorado’s elections are secure and accessible has been and will always be our top priority, which is why the Department of State, along with County Clerks and election workers across the state, address any and every potential risk to our elections with the utmost seriousness,“ Griswold said on Monday. ”I am regretful for this error. I am dedicated to making sure we address this matter fully and that mistakes of this nature never happen again.”
The secretary of state’s office has hired an unidentified law firm to investigate how the situation unfolded and how it could be prevented in the future. The office says it will “release any findings as the law permits.” It is also planning to mandate all staff members take additional cybersecurity training.
Colorado Republicans have called for Griswold to step down in the wake of the password disclosure, but she has so far declined to do so. The 40-year-old, who once worked for former President Barack Obama’s campaign, has been in office since 2019.
“We are compelled to take this legal route to ensure that such lapses in security are not only corrected but are prevented in the future,” James Wiley, a candidate in Colorado’s 3rd Congressional District and one of the plaintiffs, said in a statement. “Voter confidence is at stake, and it is our duty to safeguard the trust in our electoral systems.”
