Colorado Republicans critical of Secretary of State after voting system passwords posted online

Secretary of State Jena Griswold is trying to reassure voters after a major security breach at her office.

Passwords to voting systems statewide were leaked online in June. They remained publicly available for five months before they were flagged.

 Griswold declined an interview with CBS Colorado but her communications director, Jack Todd, says an employee accidentally made the passwords public.

The office learned of the breach last week but didn’t tell county clerks, who are in charge of securing voting systems.

Matt Crane, executive director of the Colorado County Clerks’ Association says, if not for a press release from the Colorado Republican Party, clerks wouldn’t have known about the leak and neither would voters.

“Unfortunately, clerks found out about it from an email that came from the state GOP, which was incredibly disappointing,” Crane told CBS Colorado. “If a mistake happens in a county, counties have to report that out to the state immediately. And so with something like this, when it is such so severe in nature, potentially severe, we think that the first call should have been to the county, so that we could have taken a look at our systems and at our security processes and make sure that everything was okay.”

The passwords are used to access equipment like vote tabulating machines, computers used by election judges and servers that compile all of a county’s voting data. Every county has its own password, and all but one of them were leaked.

Secretary Griswold says one password is not enough to gain access. Former Deputy Secretary of State Suzanne Taheri disagrees.

“She’s trying to say that in order to get in, you need both passwords,” Taheri said. “Well, not really. The first password, as long as you’re physically there, you could then plug a USB into the computer, bypass the system password and get in and start doing whatever you wanted with the software.”

Taheri says, fortunately, county clerks keep their election equipment in secure locations with restricted access and 24-hour surveillance. She’s not worried that the system was hacked, but she says she is worried that Griswold tried to cover up the breach.

“We need to actually know from a third party did anybody breach the system?” Taheri said. “And we don’t know that, and we don’t have somebody we can trust to tell us because she’s investigating herself.”

When Mesa County Clerk Tina Peters posted passwords for her voting systems online, Griswold called it a serious breach of voting system security protocols. In this case, she says there is no immediate security threat. Taheri said that is a double standard. 

“[She] said it was very serious when it happened in Mesa County,” Taheri recalled. “She said the release of that one password alone was a very serious election breach. And now, she’s trying to say the release of a mass amount of passwords — no big deal. Almost the worst part of this entire fiasco is that she hid it from the people who needed to know the most.”

Instead, Griswold quietly launched an internal investigation, told staff to change all the passwords and to check access to logs to make sure no one breached the system. She is now asking for a third party to investigate. Meanwhile, the Colorado GOP is demanding an audit of the office and Griswold’s resignation.

Crane says clerks too want answers, but despite the breach, he says the integrity of Colorado’s election is protected by paper ballots.

“We audit the paper after each election,” Crane said. “So if there’s something wrong with the count, let’s say on the really far-off chance someone was able to do something nefarious, we would be able to tell when we were auditing the paper ballots post-election.”