DENVER — The Colorado Secretary of State’s Office inadvertently posted a spreadsheet to its website with a hidden tab that included voting system passwords.
In a statement to 9NEWS, a spokesperson for the Colorado Secretary of State’s Office said that “the Department is working to remedy this situation where necessary.”
“The Department took immediate action as soon as it was aware of this and informed the Cybersecurity and Infrastructure Security Agency (CISA), which closely monitors and protects the county’s essential security infrastructure,” the spokesperson said.
On Tuesday morning, Colorado Republican Party Vice Chair Hope Scheppelman shared the hidden tab discovery in a mass email, along with an affidavit from someone who claims they had downloaded the Excel file from the Colorado Secretary of State’s website and discovered the hidden tab by simply clicking “unhide.” The name on the affidavit was blacked out in the Republican Party email.
9NEWS left a voicemail with Scheppelman on Tuesday afternoon.
The passwords that were in the hidden tab are known as BIOS passwords and are one part of the security process for Colorado’s voting machines.
They are passwords needed to configure system settings.
“There are two unique passwords for every election equipment component, which are kept in separate places and held by different parties. Passwords can only be used with physical in-person access to a voting system,” a spokesperson for the Colorado Secretary of State’s Office said.
"To be very clear, we do not see this as a full security threat to the state. This is not a security threat," Colorado's Democratic Secretary of State Jena Griswold told 9NEWS Tuesday. "There are two passwords to get into any voting component, along with physical access. We have layers of security, and out of just an abundance of caution, have staff in the field changing passwords, looking at access logs and looking at the entire situation and continuing our investigation."
Watch the full Next conversation:
Griswold said the spreadsheet containing the partial passwords was up on the office's website for several months before the error was realized.
Last week, Griswold held a press conference for an unrelated case of voter fraud in Mesa County. As of the press conference, Griswold said her office was not aware of the passwords posted on their own website.
"We have no reason to believe that there are any security breaches or compromises in the state of Colorado. We've been working with federal partners. We have people in the field right now going and changing passwords, looking at access logs, looking at chain of custody books, by the way, they were already looking at chain of custody for weeks. We do take this seriously, but the action is out of an abundance of caution," Griswold said.
Under state law, voting equipment has to be in secure rooms with badge access and 24/7 surveillance. County clerks are supposed to keep a log of the secure ballot areas.
Matt Crane, a former Republican Arapahoe County Clerk and current executive director of the Colorado Clerks Association, said the fact that the passwords were online, albeit hidden, is concerning, but that the group is satisfied with the actions the Colorado Secretary of State’s Office is taking.
"The truth is, is this a concern? Yes," Crane said. "Is it being mitigated? Yes. Does this mean that all of the computers are connected to the internet and that votes are being flipped? No."
Crane said that because every voter votes on a paper ballot – yes, mail-in ballots are still paper ballots – any discrepancies can be audited and remedied.
"I want to stress here, this isn't our Republicans, but you will have some Republicans who will use this for political and financial purposes. Whereas we as clerks, we will stay in the truth in honoring our oath of office to serve our constituents in a truthful and honest manner," Crane said.
Griswold did not tell county clerks about the passwords. She argued this was not 'not disclosing' the issue.
"We did not decide not to disclose something to county clerks. We were actively investigating along with federal partners," Griswold said. "We want to try to take as measured of approaches to situations as possible and gather good information. So, along those lines, we are still in an active investigation."
There is a risk-limiting audit that takes place after voting is complete, but before the election is certified, that can address any election discrepancy. A select number of ballots are pulled for a specific race in each county and compared to the machine count. Colorado started doing risk-limiting audits in 2017, and in every case, it has verified the machine count to the paper ballots.
This is a developing story and will be updated.