District Attorneys Launch Investigation Into Secretary of State Office Voting System Passwords Leak

The general election is over, but the fallout over the Colorado Secretary of State's Office leaking voting system passwords has just begun.

The Denver District Attorney’s Office is actively investigating the password leak with assistance from the 4th Judicial District Attorney in El Paso County, that office announced on Friday, November 8. Officials believe the leak originated in Secretary of State Jena Griswold's Denver-based office, but it involved current passwords for voting equipment in 34 Colorado counties, including El Paso.

The investigation announcement comes four days after the DA's office received two affidavits alleging that the incident violated Colorado law regarding accessing and tampering with voting equipment.

"We will cooperate with [Denver's] investigation and provide resources as needed," says Kate Singh, spokesperson for the 4th Judicial DA's Office. "This office will review the investigation conducted by the Denver DA’s Office to determine if further investigation should be conducted, and which office is best suited to complete any additional investigation."

For four months, hundreds of passwords for voting equipment were exposed on the Secretary of State's website, on an easily accessible hidden tab of a public spreadsheet. The Colorado Republican Party broke the news five days after Secretary Griswold says her office learned of the blunder, on October 24.

The revelation led to leaders of the state Republican Party demanding that Griswold resign, the Libertarian Party unsuccessfully suing to require a hand count of ballots in impacted counties, and even Democratic Governor Jared Polis calling for an independent investigation into the security breach.

Griswold says she hired an outside law firm to look into the incident — but now an independent investigation will happen regardless. State law requires that DA's offices investigate any incident in which a person files an affidavit alleging a violation of election laws.

"I am regretful for this error," Griswold said of the password leak in a statement on November 4. "I am dedicated to making sure we address this matter fully and that mistakes of this nature never happen again.”

According to Griswold's office, a former staff member created the spreadsheet that contained the voting system passwords in a hidden tab, which "is not in line" with the office's data security requirements. After the staff member left the office, someone else posted the spreadsheet online on June 21, seemingly unaware of the hidden passwords it contained. The spreadsheet and the passwords remained online until October 24.

Moving forward, the Secretary of State's Office says it will require additional cybersecurity training for staff, including password management.

The leak did not impact the security of Colorado's election. Two passwords are required to make changes to a voting system, according to Griswold's office; the leaked passwords accounted for only half of that pair. In addition, the passwords can only be used in person, with physical access to the voting equipment — which is mandated to be stored in secure rooms that require ID badges to access and have 24/7 video surveillance.

Denver District Court Judge Kandace Gerdes denied the Libertarian Party's hand-count lawsuit on Election Day, November 5, finding no evidence that voting system components were compromised.

Griswold has also declined to resign over the mishap, though this is far from the first time that she's found herself in hot water because of errors of her office. Only time will tell whether this latest gaffe comes with scalding legal consequences.