Colorado state seal

News Release

State of Colorado
Department of State

1700 Broadway
Suite 550
Denver, CO 80290

Jena Griswold
Secretary of State

Chris Beall
Deputy Secretary of State

Media contacts
303-860-6903

Jack Todd
jack.todd@coloradosos.gov

Kailee Stiles
kailee.stiles@coloradosos.gov

Department of State Updates Coloradans on Election Security, Password Disclosure

Denver, November 4, 2024 - The Department of State today released the following update on the password disclosure matter. Secretary of State Jena Griswold underscored Colorado’s multilayered, effective election security, and issued the following statement:

“Colorado’s elections are safe and Coloradans will have their voices heard on Election Day. Our elections have many layers of security. Ensuring that Colorado’s elections are secure and accessible has been and will always be our top priority, which is why the Department of State, along with County Clerks and election workers across the state, address any and every potential risk to our elections with the utmost seriousness. I am regretful for this error. I am dedicated to making sure we address this matter fully and that mistakes of this nature never happen again.”

Key Election Equipment Security Measures:

  • Under Colorado law, voting equipment must be stored in secure rooms that require a secure ID badge to access. That ID badge creates an access log that tracks who enters a secure area and when. There is 24/7 video camera recording on all election equipment. Clerks are required to maintain restricted access to secure ballot areas.
  • No person may be present in a secure area unless they are authorized to do so or are supervised by an authorized and background-checked employee. There are also strict chain of custody requirements that track when a voting systems component has been accessed and by whom.
  • It is a felony to tamper with voting equipment.

Updates on the Password Disclosure

The Colorado Department of State, with support from the Governor’s Office of Information Technology and Colorado Bureau of Investigation, completed updating passwords and verifying the security of all of the affected active voting systems components on October 31. The Department has confirmed that no settings had been changed on any impacted active voting equipment.

On October 24, the Colorado Department of State became aware of the disclosure of passwords on a subpage of the Department’s website. The Department was informed of the data disclosure by a voting machines vendor. The Department did not initially know whether the passwords were active.

The Department immediately removed the passwords from the website and consulted with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which is tasked with assisting states and local governments in protecting the nation’s election infrastructure, as well as Dominion Voting Systems, which provides voting equipment for 62 of Colorado’s 64 counties. At the same time, the Department began looking at web traffic to the subpage and investigated whether there were signs of these passwords or anything related to them on the internet or dark web. The Department determined that the data disclosure did not pose an immediate security threat.

That same evening, the Department began a thorough assessment of whether the passwords were in use in active voting equipment. There are over 2,100 voting components across the state. Making this public without understanding the size and scope of the disclosure, and without having a concrete plan for determining our technical and outreach strategy, would run contrary to cybersecurity best practices and carried a significant risk of fueling the major disinformation environment that surrounds elections today.

On October 25, the Department determined that 34 of Colorado’s 64 counties were affected by the disclosure.

On October 29, the Department finished identifying the specific active voting system components affected by the password disclosure. Department staff immediately began changing passwords. County Clerks were informed that day; many had already learned of the disclosure from a press release issued by the Colorado Republican Party.

By the end of Thursday, October 31, all affected active equipment had undergone password updates with support from the Governor’s Office of Information Technology, Colorado Bureau of Investigation, and Colorado’s dedicated County Clerks. While changing passwords, the Department also confirmed that no settings had been changed on any impacted active voting equipment.

Through the Department’s assessment, it was determined that a former staff member created a spreadsheet that contained the passwords in a hidden tab. Storing passwords in this manner is not in line with the Department’s required data security practices and training. The staff member amicably left the Department before this matter took place. This spreadsheet was posted online on June 21, 2024, and it remained on the Department’s subpage for voting system equipment until it was taken down on October 24, 2024.

The Department is engaging a well-regarded law firm to conduct an outside investigation into the event, determining how it happened, how it could be prevented in the future, and any recommendations for improvement of practices and procedures. Once the investigation has been finalized, the Department will release any findings as the law permits. The Department will require additional cybersecurity training with all staff, including password management and security procedures.

The Department has multiple systems in place to harden our security. All employees are required to take annual cybersecurity trainings. Department policy and training requires that employees must use a password safe. Our passwords meet some of the highest security standards recognized by the National Institute of Standards and Technology.

The Department conducts risk and vulnerability assessments, including penetration tests and external testing, with agencies such as the Department of Homeland Security to check for vulnerabilities. As recently as August, the Department of Homeland Security tested for internal and external vulnerabilities. In addition, the Department’s external website systems are scanned for vulnerabilities by a third-party service.