Outside review calls Colorado election passwords leak “inadvertent” but finds officials violated policy

The Colorado Secretary of State’s Office violated two state information security policies that contributed to the accidental release of some voting system passwords before the Nov. 5 election, according to a third-party investigation released Monday morning.

Denver attorney Beth Doherty Quinn found that the office violated one policy regarding training individuals to ensure nonpublic information isn’t released. And it violated another policy on the review of data to ensure it doesn’t contain secure information before it’s publicly released.

Still, the 19-page report broadly absolved Secretary of State Jena Griswold and her staff of wrongdoing. Doherty Quinn wrote that “a series of inadvertent and unforeseen events led to the public disclosure” of the passwords on a spreadsheet posted to the Secretary of State’s website in June.

The passwords’ presence on a hidden worksheet in the file was not discovered by the state until late October, and elected county clerks weren’t informed for several days — sparking frustration and criticism from some election officials.

The “substantial weight of the evidence demonstrates that the BIOS passwords contained in the hidden worksheets posted on the Secretary of State website were posted mistakenly, unknowingly and unintentionally because the (Voting Systems) Team was unaware the hidden worksheets existed,” Doherty Quinn wrote.

She offered seven recommendations for Griswold’s office to adopt, including a prohibition on the use of hidden worksheets, the storage of all passwords in digital “password safes,” and the implementation of tighter scrutiny for which information is posted to the secretary of state’s website.

In a statement released with the report, Griswold said her office was “committed to implementing (the) recommendations to ensure a situation like this never occurs again.” Griswold previously said she regretted that the information was published.

Shortly after the report was released Monday morning, the Legislative Audit Committee rejected a request from its Republican chair, Rep. Lisa Frizell, to launch an audit in response to the leak. Frizell, a senator-elect who said she hadn’t seen the report issued that morning, said an audit was needed in part because of “fairly systematic and problematic issues” related to “communications with the clerks.”

The vote was tied, with all four of the committee’s Democrats voting against it and all four Republicans voting for it. Two of the Democrats noted the release of the Doherty Quinn’s report and its recommendations.

Doherty Quinn’s firm was hired by Griswold’s office last month to investigate the release of the passwords, which were discovered by a prominent election denier, Shawn Smith. Smith testified in early November that he learned of the passwords’ presence online on Oct. 24, the same day that Griswold’s office said it became aware of them.

The news was not announced until the Colorado Republican Party, led by another election denier, revealed the passwords’ publication on Oct. 29.

Smith testified that he was contacted by an attorney — before the leak was public knowledge — to fill out an affidavit about what he knew. It’s unclear how that attorney, John Case, learned of the leak or knew to contact Smith about it.

According to Westword, Smith told a group of Republicans in late November that he was tipped off about the passwords by Republican state Rep. Stephanie Luck and another Republican politician. Luck did not immediately return a message sent Monday morning. Case previously declined to answer questions.

“Difficult to anticipate” circumstances

The passwords on their own were not enough to access or alter election equipment, and a Denver judge ruled last month that there was no evidence that election systems were accessed after the password leak.

Staff from the Secretary of State’s Office removed the spreadsheet from its website and then traveled around the state to manually change any active passwords that were leaked.

“The investigator finds that this unique set of circumstances would have been difficult to anticipate,” Doherty Quinn wrote. “Further, on an organizational level, the Secretary of State/CDOS consistently took significant and appropriate measures to protect state information, including the BIOS passwords.”

The 2024 election results in Colorado have been certified.

According to Doherty Quinn’s report, the passwords were initially pasted into a separate, internal spreadsheet by a former member of the office’s voting systems team. That employee, who left in spring 2023, told Doherty Quinn that she kept the passwords in a hidden tab as “scratch paper” to help in her work.

When the employee left, she did not communicate the existence of the passwords in the file. Another version of the file had been published before, albeit in a PDF format that did not allow access to the hidden worksheets that included the passwords.

“Thus, (the former employee) had no expectation that the hidden worksheets would become public,” Doherty Quinn wrote.

But in June 2024, after the employee left, other staff decided to publish a more interactive version of the file that would be more user friendly. Those staff members were unaware of the passwords’ presence, according to the report, and were not aware of a software function that would’ve allowed them to check for hidden tabs.

Another employee, charged with reviewing material before it was published online, approved the file’s publication within a minute of it being requested. The secretary of state has “no policy, no directive and no written procedure for approving a web request,” the new report says, and that the employee received no additional training when he became an “authorized reviewer.”

Two other policy violations occurred but did not contribute to the passwords’ publication, Doherty Quinn wrote. They included insufficient password security for the original internal spreadsheet and a failure by employees to review and sign the office’s computer policies.

Fallout included complaints by clerks

Weeks of fallout following the disclosure included an unsuccessful lawsuit by the Libertarian Party of Colorado and the state GOP’s threat to launch a longshot recall effort for Griswold.

County clerks have vented frustration about how Griswold’s office handled the leak. Some officials, including the head of the Colorado County Clerks Association, said they learned that passwords had been published online via the media.

In emails obtained by The Denver Post last month, two county clerks criticized Griswold’s office in communications to her staff. In a Nov. 4 email, Molly Fitzpatrick, the Boulder County clerk and a fellow Democrat, said that her sympathy for Griswold’s office over the leak “has turned into complete irritation and disdain at the lack of support we are getting to communicate to voters.”

Fitzpatrick said the “vacuum of information” about the passwords was baffling and fueled the narrative that Griswold “is running from this and that you all are leaving Clerks to defend this error.”

In a separate letter to Griswold that was also sent Nov. 4, Fremont County Clerk Justin Grantham, a Republican, accused Griswold of refusing to take accountability and of shifting blame to others in her office. Grantham said the situation exacerbated some people’s distrust in elections.

He wrote that he wanted an independent investigation and an apology, and he said that he could not “in good conscience trust you in this position and defend your office.”

In an email Monday, Grantham told The Post that he needed to review the new report before commenting. Matt Crane, the executive director of the clerks association, did not immediately respond to a message seeking comment.

Griswold told legislators in mid-November that her office was focused on discovering the scope of the leak before it informed clerks that passwords had been made available online. She said she regretted that clerks didn’t learn of the leak from her.

Stay up-to-date with Colorado Politics by signing up for our weekly newsletter, The Spot.