A third-party law firm hired to investigate the Colorado secretary of state’s election system password breach found that passwords were posted online unintentionally, though two policies related to training and review of publicly posted documents were violated, an investigator’s report says. The investigator recommended increased review measures to minimize future risk.

Colorado Secretary of State Jena Griswold disclosed in late October that a document posted to her office’s website included a hidden but accessible worksheet containing Basic Input Output System — or BIOS — passwords to election equipment in counties throughout the state. Her office said the staff member responsible for posting the spreadsheet had left their position “amicably” before state officials discovered the passwords were inadvertently exposed. The department requested a third-party investigation into the breach shortly after discovering it.

Beth Doherty Quinn of Baird Quinn, LLC, led the investigation, which was commissioned by Griswold’s office. Quinn interviewed department staff, reviewed various department policies and documents, and worked with digital forensics experts. The secretary of state released Quinn’s report into the breach Monday.

Image

Quinn’s report said all employees interviewed during the investigation showed “a sincere desire to maintain the confidentiality of the BIOS passwords.” She said the “devastating” impact the breach has had on the voting systems team and “on the health and well-being of particular individuals” on the team “was palpable during interviews.” She also said the unique set of circumstances that led to the breach “would have been difficult to anticipate.”

Two current employees with the voting systems team Quinn interviewed “sincerely described their belief in the importance of their work — facilitating secure and fair elections — and the importance of doing their job well,” the report says. The report found that employees were unaware of the hidden tabs after the employee who created them left the department.

A former employee with the Department of State migrated the state’s voting systems inventory information from a Microsoft Access database to a Microsoft Excel file in 2021. In transferring this data, the former employee created four hidden tabs used “solely for her own purposes,” some of which contained the BIOS passwords. She never informed other employees about the hidden tabs, so “she would not be surprised that they would be unaware of their existence,” the report said.

None of the employees are named in the report.

The Colorado Legislature’s Legislative Audit Committee declined Monday to start its own investigation into the breach. County clerks said that while election security in the state remained strong following the breach, many were upset that Griswold did not inform them about the breach until after the Colorado Republican Party learned about and announced it.

Recommendations

The report also found that voting systems inventories are not legally required to be posted online, rather the department posted them historically in PDF form for transparency. Forensic computer experts said that converting an Excel spreadsheet to a PDF makes any hidden tabs inaccessible, so the former employee who added the hidden tabs “had no expectation that the hidden worksheets (tabs) would become public.”

The former employee who created the hidden tabs resigned in May 2023, and she did not inform other members of the voting systems team of the hidden tabs included in the new inventory spreadsheet. No other members of the voting systems team were aware of the hidden tabs until the state learned they were posted online in the spreadsheet on October 24, nor did they know a whole tab could be hidden.

Image

Prior to the spreadsheet with hidden tabs being posted, the last voting system inventory was posted online November 6, 2023, in PDF format. The voting systems team wanted to update the inventory posted online ahead of the June primary, and a member of the team suggested posting an Excel version of the file as opposed to a PDF to make the public document more user-friendly.

The employee copied the original document and renamed the copy to signify it would be publicly posted, unaware that the copy included hidden tabs that contained BIOS passwords. The employee deleted sensitive information included in the only visible tab remaining and requested that the department’s content management team replace the voting inventory PDF online with the new spreadsheet.

Other employees interviewed during the investigation approved the request without any review of the document itself. Quinn found the lack of review violated state information security protocol related to reviewing publicly accessible data.

Quinn made seven recommendations to prevent a future breach, and the department agreed to implement the recommendations. The department should create a detailed review process for web requests from the Elections Division, with specific requirements that must be met before a document can be posted. It should also implement a policy prohibiting the use of “hide” functions for sensitive or confidential information.

She also recommended all passwords be kept in a password safe unless an exception is granted in writing by the Department of State’s IT Division. The department should also better train employees on data protection features of computer software used regularly, such as specific features of Microsoft Excel and Word that could have found the hidden tabs prior to publication.

The department should also consider a transition and exit process for departing employees whose responsibilities include handling sensitive information to review where it is located and how the information should be handled. The department should also update its Acceptable Use Computing Policy to clarify requirements around managing passwords, and employees should be required to review and sign the policy annually.

“The Department of State thanks Baird Quinn for their thorough review of this matter,” Griswold said in a statement. “We are committed to implementing their recommendations to ensure a situation like this never occurs again.”

Colorado Newsline is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Colorado Newsline maintains editorial independence. Contact Editor Quentin Young for questions: info@coloradonewsline.com. Follow Colorado Newsline on Facebook and X.