In a critical breach of election safety, Colorado Secretary of State Jena Griswold’s workplace left voting system passwords publicly accessible on the state’s web site for a number of months.
Regardless of discovering the publicity on October 24, Griswold’s staff solely started to vary the leaked passwords after the Colorado GOP introduced the problem to mild.
WATCH:
Colorado Secretary of State Jena Griswold (D) knew her workplace had left voting system passwords uncovered on-line however didn’t change the passwords till the Colorado GOP instructed the general public concerning the safety risk. @marshall9news studies for @nexton9news. #copolitics pic.twitter.com/oD48FqGu5J
— Kyle Clark (@KyleClark) October 31, 2024
For months, passwords essential to entry Colorado’s voting methods in 63 out of the state’s 64 counties had been accessible on a hidden tab of a spreadsheet on the Secretary of State’s web site.
The uncovered info included one of many two passwords required to switch every county’s voting machine configurations, with knowledge listed by serial quantity, mannequin, and county.
Whereas this alone ‘could not present full entry,’ safety specialists have expressed concern that even partial passwords ought to by no means have been made public.
Griswold’s workplace didn’t notify native election officers till the GOP uncovered the safety threat, underscoring a serious lapse in transparency. A spokesperson from her workplace later said that federal businesses, together with the Cybersecurity and Infrastructure Safety Company (CISA), had been knowledgeable promptly and that an inner investigation was underway.
Throughout an interview with 9News’ Kyle Clark, Griswold didn’t reply if the incident could be investigated by their workplace or if it concerned a 3rd occasion.
Kyle Clark: Is your workplace solely answerable for investigating this, or is there an out of doors company concerned?
Jena Griswold: This can be a simple case of a civil servant importing a spreadsheet with some passwords. Two units of passwords are required for entry, and we notified CISA instantly.
On the similar interview, Clark turned to Griswold’s obvious double normal and reminded her of her earlier assertion, the place she labeled the unauthorized launch of any voting system password as a critical breach.
He famous her workplace’s agency stance in 2021 throughout the same incident involving Tina Peters, who confronted extreme authorized penalties for accessing voting methods in her try to safeguard election integrity.
Kyle Clark: You ceaselessly warn of insider threats to elections. The U.S. Division of Homeland Safety defines an insider risk as somebody who makes use of licensed entry, wittingly or unwittingly, to do hurt. Did the actions of your workplace represent an insider risk?
Jena Griswold: No.
Kyle Clark: Why do you say that?
Jena Griswold: For a number of causes. First, this doesn’t pose a direct safety risk to Colorado’s elections. Colorado has a number of layers of safety. There are two distinctive passwords held by totally different events to entry voting tools, and bodily entry can be required. These passwords should be utilized in particular person. Underneath Colorado legislation, we’ve safe rooms, restricted entry, and 24/7 video recording of all election tools. Moreover, we use paper ballots and conduct risk-limiting audits. Our elections are a few of the most safe within the nation, and lots of of those safety measures have been enhanced since 2021.
Kyle Clark: In 2021, when Mesa County’s voting system passwords leaked, your workplace said that the disclosure of BIOS passwords alone constituted a critical breach. By that normal, did your workplace commit a critical breach of safety protocols?
Jena Griswold: No. The state of affairs in Mesa County was distinct. Tina Peters was simply convicted, and we had been actively investigating a broader breach in Mesa County.
Kyle Clark: However your workplace mentioned the general public disclosure of BIOS passwords alone constituted a critical breach. Now that your workplace has leaked passwords, does that represent a critical breach?
Jena Griswold: The assertion was a part of a broader press launch. The state of affairs with Mesa County concerned two units of unauthorized passwords and a bigger safety breach. Our safety measures have improved since then, with 24/7 surveillance and entry badges.
Kyle Clark: The wording utilized by your workplace was that passwords alone constituted the breach. What have you ever performed to find out whether or not these passwords had been utilized by an unauthorized particular person?
Jena Griswold: We started an investigation instantly and don’t have any cause to imagine there are any breaches. Federal companions are aiding, and we’re inspecting entry logs and chain-of-custody data.
Kyle Clark: In 2021, you ordered Mesa County to cease utilizing machines for which passwords had been leaked. Why no comparable order now?
Jena Griswold: In Mesa County, each passwords had been used, and unauthorized entry occurred. With our improved safety measures, we’ve no proof of the same state of affairs right here.
The general public outcry led Governor Jared Polis to launch a press release saying he had been briefed on the incident, initially claiming that “all passwords have been modified.” When knowledgeable by 9NEWS that this was incorrect, Polis’s workplace issued a revised assertion that eliminated the declare however failed to clarify the preliminary inaccuracy.
A spokesperson for @GovofCO Polis mentioned he’d been briefed on election safety and was assured all of the leaked passwords had been modified. When 9NEWS knowledgeable Polis’ workplace that some leaked passwords are nonetheless in use, his workplace despatched a press release with that sentence eliminated.
— Kyle Clark (@KyleClark) October 31, 2024
Former Colorado Secretary of State Wayne Williams believes this oversight deserves greater than only a easy password reset.
“We have to have an inspection happen of every of the machines that the passwords had been doubtlessly disclosed,” Williams mentioned.
Associated story:
