Investigation into Colorado voting system password leaks finds office violated policy, but mistake was ‘unintentional’

COLORADO SPRINGS, Colo. (KRDO) – A third-party investigation into how Colorado voting equipment passwords were posted publicly on the Secretary of State's website concluded that though the office violated policy, the passwords were "mistakenly, unknowingly and unintentionally" posted.

The investigation, completed by Denver attorney Beth Doherty Quinn, didn't find any intentional wrongdoing by Secretary of State Jena Griswold or staff in her office that led to the leak. Instead, it found that “a series of inadvertent and unforeseen events led to the public disclosure of the BIOS passwords."

Notably, the investigation found the office "failed to review the posted document to ensure that non-public information would not be disclosed," which violates a Colorado Information Security policy on publicly accessible content.

However, the violation didn't directly lead to the password leak, the report reads.

In October, just one week before the presidential election, Colorado Secretary of State Jena Griswold announced her office had discovered a hidden section of voting machine passwords included on the state website. Among those impacted were eight machines in El Paso County.

The passwords leaked were one of only two needed to access components of the Colorado voting system, Griswold's spokesperson Jack Todd said, but Griswold said the leak did not pose a security threat and their were measures in place to protect the systems.

The passwords had been hidden in a file kept by a former employee. However, the investigation found that none of the employees involved in posting the document online knew that hiding tabs was a feature of the software.

In the report, dated Sunday, Dec. 8, Quinn suggested that the agency require a more thorough review of documents before they're posted online and better protect its passwords using software called a "password safe."

In total, Quinn issued seven recommendations for the department to consider, including:

1. Instituting a policy prohibiting the use of “hide” functions for highly sensitive or confidential information within documents.
2. Establishing a requirement that all passwords of any kind, whether they be individual user log-in credentials or password information such as the BIOS passwords, be kept only in a password safe unless an exception to that policy is granted in writing.
3. Requiring better training on the data protection features of the computer software programs used on a daily basis, such as Microsoft Excel and Word.
4. Updating the “Acceptable Use Computing Policy” (AUP) so the policy on the use of the password safe and the policy on creating and managing passwords are single stand-alone policies rather than policies contained at various places within the User ID and Password section of the AUP.
5. Requiring employees to review its AUP policy every year and sign that they have reviewed the document.
6. Creating a substantive review process for the Elections Division (and possibly other Divisions) for web requests involving posting documents to the Department website.
7. Reviewing the transition and exit processes for departing employees whose responsibilities involve handling sensitive or confidential information.

“The Department of State thanks Baird Quinn for their thorough review of this matter," Griswold said in a Dec. 9 press release. "We are committed to implementing their recommendations to ensure a situation like this never occurs again."