(Colorado Newsline) Colorado Secretary of State Jena Griswold told a panel of state lawmakers that her office delayed telling county clerks about a voting equipment password leak last month because she wanted to know more about the scope and impact of the situation first.

Instead, many clerks learned about the password breach when the state Republican Party publicized it and the media began reporting on it.

“The department was focused on determining the full scope of the issue and finalizing a plan for our technical and outreach strategy before sharing it, to avoid fueling the major disinformation environment that surrounds our elections (and) has real effects on election workers all across the state of Colorado,” Griswold told the Joint Budget Committee on Thursday. “I regret that the clerks learned about this issue from a party that was not us before we had completed our assessment.”

Image

Griswold said her office learned about a published spreadsheet with partial system passwords October 24, took the spreadsheet offline and began taking action. The Colorado GOP then shared the information in an email October 29.

The passwords — known as Basic Input Output System or BIOS passwords — were for equipment in 34 of Colorado’s 64 counties. The use of BIOS passwords requires in-person physical access to voting machines, which are kept in secure areas subject to controlled keycard access and 24/7 video surveillance.

State officials, independent cybersecurity experts and county clerks from both parties have expressed confidence that Colorado’s 2024 election remained secure. By October 31, all affected equipment had undergone password updates, and state employees verified that no settings on any of the equipment had been altered.

Griswold, a Democrat, has faced intense criticism since the disclosure of the password breach, with many Republicans calling for her resignation.

Senator Barbara Kirkmeyer, a Weld County Republican, pressed Griswold on her delayed communication with county clerks.

“(Clerks are) in the middle of an election. You know about a password breach. Regardless if it’s not immediate, it still was a threat. They still should have been notified. When did you think it would be appropriate to notify the clerks?” Kirkmeyer asked Griswold.

Griswold repeated that her office wanted to gather information, which required a lot of manpower across the state, and finalize a strategy before determining “what our next steps would be.” She did not offer an exact timeline for when she planned to tell clerks.

An outside law firm based in Denver is investigating how the passwords ended up online. The office used $25,000 from its personnel services appropriation, but the actual cost of the investigation could differ depending on whether the firm needs to hire a forensic computer analyst. Additionally, the Denver district attorney’s office is also investigating the incident.

Griswold said that her office will release as much as the law firm’s final report as possible without creating a security risk. Additionally, her office is requiring increased cybersecurity and password management training.

Colorado Newsline is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Colorado Newsline maintains editorial independence. Contact Editor Quentin Young for questions: info@coloradonewsline.com. Follow Colorado Newsline on Facebook and X.