A law firm has concluded that the online posting of passwords for Colorado’s election machines happened inadvertently, but did violate some policies.
The Secretary of State’s office hired the Denver-based firm Baird Quinn LLC to investigate after the security breach came to light this fall.
In her 19-page report, attorney Beth Quinn wrote that the incident was preceded by a unique set of circumstances that would have been difficult to anticipate.
According to the investigation, the employee who originally created the hidden tab of passwords had no expectation the spreadsheet, which also listed technical information about the state’s voting equipment, would ever be posted online. And she had left the office by the time other staff decided to put the document on the department website, in a bid to increase transparency.
Quinn said the substantial weight of the evidence indicates that the passwords “were posted mistakenly, unknowingly and unintentionally,” because people on the voting systems team were unaware of the hidden tab.
Despite the breach, Quinn concluded that on an organizational level the Secretary of State’s office consistently “took significant and appropriate measures to protect state information.”
However Quinn did conclude that the office violated two of the state’s information security policies. First, by not giving staff enough training in how to search for hidden tabs and meta data, to ensure publicly accessible documents don’t include confidential or private information, and second, by not designating staff to make a final security check of documents from the Elections Division prior to publishing them.
The employee who posted the spreadsheet was not trained to know about, or look for, hidden tabs, and the team in charge of web requests and content management didn’t review the document before putting it on the office’s website.
A staff member told Quinn that as long as there’s a “reasonable reason” to post something online, the office has no official policy for approving web requests.
Request for broader audit rejected by Democrats
Hours after the investigation was made public, Democrats on the legislature’s bipartisan audit committee defeated a request to have the State Auditor conduct more research for a broader audit of the Secretary of State’s office. The committee’s current chair, Republican Rep. Lisa Frizell, made the request.
“I feel this is one of the reasons this committee exists,” she told her colleagues.
Another Republican said he thought an audit would increase transparency and build trust with county clerks, however Democrats struck down the motion with little discussion.
Democratic Sen. Dafna Michaelson Jenet and Rep. Andrew Boesenecker both mentioned the Baird Quinn investigation, but they said they hadn’t yet read it.
The revelation that passwords for ballot tabulation machines in half of Colorado’s counties had been online for months in a hidden tab on the Secretary of State’s website set off shockwaves in the days before the November election. The state scrambled IT professionals to all corners of Colorado to update the passwords, but rejected demands from the Trump campaign and the Colorado Libertarian Party to restart ballot counting.
A BIOS password, which grants access to the equipment’s underlying software, is not enough on its own to manipulate a voting machine; someone must also have physical access to manually enter the password. The machines are kept under 24-7 video surveillance in clerks’ offices around the state, with key card access limited to a small number of background-checked staff.
For the investigation, Quinn interviewed ten people, including 9 current and one former employee. Her report outlines what she uncovered.
Investigation detailed how breach happened
The employee who created the hidden tab worked in the elections division of the Secretary of State’s office from June 2020 to May 2023 and was responsible for compiling voting system information. She told the investigator the hidden tab “should be considered similar to ‘scratch paper’ that was ‘functional to me’” but not intended for anyone else’s eyes.
The voting system information spreadsheet had restricted access and its own password protection but the passwords on it were not stored in a password safe like user IDs and logins. The Secretary of State’s Chief Information Officer said those layers of protection, with a properly complex password, are an acceptable alternative to using the password safe.
The employee “never had responsibility for posting the VSI (voting system information) on the Secretary of State’s website and there is no evidence that she ever posted it.” Information about the voting equipment counties use, like the manufacturer and model numbers, has been posted occasionally to improve transparency but isn’t required by law to be online.
In two earlier instances, the information was posted in PDF form, which doesn't allow for hidden tabs. For the most recent version, which the state put online in June of 2024, a staffer suggested keeping the data in the Excel spreadsheet to make it more user-friendly for the public.
The investigator determined that, by not deleting or disclosing the hidden worksheets before she left, the former employee could arguably have failed to take precautions to protect against unauthorized or careless disclosure.
However, because the former employee “had no reasonable expectation that the file would ever be publicly disclosed in its native format” the investigator concluded she did not violate state policy.
The investigation also captured some of the impact of the breach on election division staff themselves.
Quinn wrote that staff were sincere in how they talked about their commitment to their work – “facilitating secure and fair elections” – and the importance of doing their job well. They also described the impact of the password breach on the health and well-being of members of the voting systems team.
Ways the office can do better
The investigation developed a list of policy recommendations, concluding that the Secretary of State’s office should consider implementing:
- A substantive review process for the Elections Division to set up a system for approving web requests.
- A policy prohibiting the use of the “hide” functions for highly sensitive or confidential information.
- A requirement that all passwords of any kind be kept only in a password safe to unify sensitive information with limited exceptions.
- Requiring employees to be better trained on the data protection features of the computer software programs.
- A review of the exit process to make sure an employee responsible for handling sensitive or confidential information discusses where the information is located and how it was used before they leave.
- Clearer internal guidelines on creating and maintaining passwords, and requiring all passwords to be updated at set intervals.
- Requiring employees to review and sign the acceptable use computing policy every year, not just when onboarding or for major updates.
- What are Colorado’s voting machine BIOS passwords?
- Passwords for voting equipment posted on Secretary of State’s website, but officials say there’s no immediate security risk
- Investigation continues into how Colorado voting machine passwords ended up online
- Secretary of State Jena Griswold says employee responsible for posting voting equipment passwords is gone
