Colorado's top election official reveals new details about security breach
Add Axios as your preferred source to
see more of our stories on Google.
Colorado Secretary of State Jena Griswold. Photo: Hyoung Chang/The Denver Post
A week after a Colorado election breach became public, Colorado Secretary of State Jena Griswold revealed new details about how her office inadvertently posted voting equipment passwords online.
Why it matters: The state's chief election official is doing damage control after the controversy exploded into the open and undermined trust in the state's election system.
The latest: Griswold, a Democrat, issued a mea culpa Monday that took responsibility for the mistake made by a former employee in her office.
- She also revealed the passwords were online for four months before being taken down Oct. 24.
What she's saying: "I am regretful for this error. I am dedicated to making sure we address this matter fully and that mistakes of this nature never happen again," she said in a statement.
Yes, but: She also defended her office's decision to keep the issue hidden from the public for five days, saying she didn't know if the passwords were active.
- "Making this public without understanding the size and scope of the disclosure, and without having a concrete plan for determining our technical and outreach strategy, would run contrary to cybersecurity best practices and carried a significant risk of fueling the major disinformation environment that surrounds elections today," she said in the statement.
Reality check: The lack of transparency led to exactly what she hoped wouldn't happen.
Zoom in: The secretary's office learned on Oct. 24 about the passwords posted in a hidden spreadsheet tab from a voting machines vendor and removed them from the website, according to a new timeline of events.
- 34 of the state's 64 counties were affected but an immediate investigation looking at web traffic and the dark web found the disclosure did not pose an immediate security threat.
The state finished its initial review Oct. 29 — the same day the Colorado Republican Party made the breach public — and began to change passwords and inform county clerks.
- Thanks to help from the governor's office, the secretary of state confirmed passwords were updated on all active election equipment by the end of the day Oct. 31.
Between the lines: By then, former President Trump's campaign took notice and made demands for a more thorough accounting of the incident.
- The next day the Colorado Libertarian Party filed a lawsuit against the state regarding the breach.
The intrigue: The staff member responsible for creating the spreadsheet left the department amicably before the controversy began, the office said. Griswold previously declined to comment on the nature of the departure.
- Storing the passwords in a hidden tab is not agency protocol, officials clarified.
What we're watching: The secretary's office hired an unnamed law firm to conduct an outside investigation to determine how it happened and how to prevent similar incidents in the future.
- It is also requiring additional cybersecurity training for staff.