The Secretary of State detailed when her office learned of the incorrectly published passwords ahead of the court hearing.

This is a developing story

The Colorado Secretary of State’s Office was first alerted that passwords to many of the state’s 2,100 pieces of election equipment had been posted online by the equipment’s manufacturers.

The state learned of the situation on Oct. 24, five days before the Colorado Republican Party sent an email to members describing the security breach.

The information is part of a new disclosure schedule the state released ahead of a court hearing Monday afternoon in which the Colorado Libertarian Party argues that all affected equipment should be decertified and ballots in those counties be counted by hand.

“As soon as we got the call, staff canceled it and then we started planning,” Democratic Secretary of State Jena Griswold told CPR News Monday morning.

They learned that the current passwords for equipment in 34 of Colorado’s 64 counties were listed in a hidden tab of the spreadsheet it’s been online since June. Visible parts of the sheet contained other information about voting machines that Colorado is required to make public.

In this situation, the state, local officials and equipment manufacturers have emphasized that BIOS passwords can only be entered into machines in person and that this type of voting equipment is kept in locked rooms, under 24-hour video surveillance, with limited access. for background checks of employees.

Griswold said that to her knowledge, none of the BIOS passwords were published on the dark web or anywhere else on the Internet.

Last week, CPR learned that the spreadsheet, including the hidden tab, was created by an employee who stopped working at the office earlier this year, and that a subsequent employee, who was apparently unaware of the hidden data, posted the spreadsheet online. Griswold confirmed Monday that the first employee left his job on amicable terms and that the second employee still works for the secretary of state.

“As far as we understand, there is no evidence that the employees who posted the spreadsheet were aware of the hidden tab,” Griswold said.

The Secretary of State’s Office contracted with Denver law firm Garnett Powell Maximon Barlow & Farbes to conduct an outside investigation of the situation, led by attorney David Powell. Griswold said any potential consequences for members of her staff would occur after this was completed.

“An error has occurred and because of this we will be conducting further staff training as well as contracting with this third party law firm to conduct a further investigation into how this happened, how it could be prevented and any other recommendations to improve practices and procedures.” Griswold said.

She said storing passwords in plain text on a spreadsheet is not department policy.

“We do a lot of training and emphasize that passwords should be kept in a password safe. We need the passwords to be encrypted.”

Griswold also noted that in August her office conducted a risk assessment with the U.S. Department of Homeland Security to identify vulnerabilities in both internal and external websites and systems. This process was unable to open the hidden tab.

Last Thursday, the state completed updating passwords on all affected active voting machines. The staff performing these updates also checked to see if any hardware settings had been changed and found no security issues.

Griswold encountered pushback from district officials for not alerting them to the security breach until hours after the Colorado Republican Party sent out its email. She continues to defend the decision.

She said her office initially did not know whether the passwords were active, and that until there was a specific plan to address the situation, publicly disclosing what happened was “contrary to cybersecurity best practices and would pose a significant threat.” the risk of fueling a large-scale disinformation environment.”

It took several hours after the Colorado Republican Party released the information for Griswold’s office to fully understand the scope of the components involved and then held a meeting with clerks who administer county elections.

Affidavit says right-wing official found vulnerability but never reported it to government

Although the password situation was first made public by the Colorado Republican Party, party officials did not respond to media questions about when or how they first learned of it.

However, an affidavit signed by conservative activist Sean Smith states that he found a hidden BIOS passwords tab on the Colorado Secretary of State’s website several times, first on August 8, and confirmed that it was still there on October 16 and 23.

Smith’s testimony was included (with his name redacted) in a GOP press release. CPR News obtained an unedited version.

Smith is a founding member of the United States Election Integrity Plan (USEIP). The group, based in El Paso County, sent mass agitators to areas across the state to look for election fraud after the 2020 election. Smith has been a strong supporter of efforts by Mike Lindell, CEO of MyPillow, to sow distrust in the 2020 election. In the past, he has accused Griswold of criminal behavior during the election and proposed to execute her.

“I would say overall it’s incredibly troubling that somebody knew this information and didn’t tell us,” Griswold said.

Libertarians ask judge to resume manual vote counting

Despite assurances from Griswold’s office and election officials from both parties that Colorado’s general election remains secure, the Colorado Libertarian Party is filing a lawsuit against the Secretary of State’s office.

Party asks the judge remove from service any voting machine associated with password leaks and require affected counties to resume manual counting of all their ballots.

The party filed a lawsuit Friday against Griswold and Deputy Secretary of State Chris Beall. Both sides appeared in court for an emergency hearing Monday afternoon.

“By allowing these passwords to become publicly available, the Secretary of State violated her duty to ensure that the upcoming general election in Colorado will be fair and accurate,” the complaint states.

The lawsuit also asks the Colorado attorney general to investigate Griswold’s office.

CPR contacted the Attorney General’s office to see if it was involved in the investigation into the breach and was told in a statement: “This matter is part of legal proceedings against the State and therefore the Attorney General’s Office cannot comment.”