Colorado accidentally put voting system passwords online, but officials say election is secure

DENVER — Voting system passwords were mistakenly put on the Colorado Secretary of State’s website before being spotted and taken down, but the lapse did not pose an immediate threat to the upcoming election, said state election officials Tuesday.
The passwords were one of two that are needed to access Colorado’s voting systems, and are just one part of a layered security system, said Jack Todd, spokesperson for the the Secretary of State’s office, in a statement. Those passwords alone wouldn’t allow someone access to a voting system.
Colorado’s top elections official, Democratic Secretary of State Jena Griswold, frequently calls Colorado the gold standard for election security. However, she has been criticized by the chairman of the Colorado Republican Party amid heightened scrutiny over election systems in the United States.
Election officials learned last week that the spreadsheet, which held the passwords in a hidden tab, was available online, just days out from the Nov. 5 election. Once the lapse was discovered, Todd said, the department took immediate action, informed the Cybersecurity and Infrastructure Security Agency, and is working to remedy the situation where necessary.
The executive director of the Colorado Clerks Association, Matt Crane, told 9News that while the lapse was concerning, the association was satisfied with the Colorado Secretary of State’s response.
“The truth is, is this a concern? Yes,” Crane said. “Is it being mitigated? Yes.”
The passwords in the spreadsheet, which are one half of what’s required to access voting systems, can only be used in-person. Colorado law requires that election equipment is surveilled and stored in secure rooms — access to which is guarded, tracked and logged. Colorado voters fill out paper ballots, which are audited after the election.
Chairman of the Colorado GOP, Dave Williams, sent a letter to the department Tuesday demanding that, among other things, the secretary of state confirm that the exposed passwords have since been changed.
Earlier this month, a Colorado county clerk, Tina Peters, was sentenced to nine years behind bars for a data-breach scheme based in false claims about voting machine fraud in the 2020 presidential race. Peters was found guilty by a jury of allowing a man to misuse a security card to access a county election system and for being deceptive about that person’s identity.