DENVER — A third-party investigation into how a spreadsheet of voting system passwords ended up on the Colorado secretary of state’s website for the world to see ahead of the Nov. 5 election concluded that the passwords were “mistakenly, unknowingly and unintentionally” posted online.
The report by Baird Quinn, LLC, the firm hired to conduct the investigation after the Colorado Department of State (CDOS) revealed the leak in late October also found that “a series of inadvertent and unforeseen events led to the public disclosure of the BIOS passwords.”
The report, released Monday morning, found that the “unique set of circumstances would have been difficult to anticipate,” and that “on an organizational level, the Secretary of State/CDOS consistently took significant and appropriate measures to protect state information, including the BIOS passwords.”
Notably, the report determined there was a policy failure to adequately “review the posted document to ensure that non-public information would not be disclosed.”
In the days following the incident, Griswold would tell Scripps News Denver that an employee mistakenly included partial passwords for voting systems in a spreadsheet anyone could download from her office’s website, adding her office took immediate steps to remedy the mishap.
That employee was no longer employed with the office, but Griswold would not say if that person was fired.
The incident added to scrutiny of Secretary of State Jena Grisworld, who had announced about a week earlier that her office had thwarted an attempt at voter fraud in Mesa County ahead of this year’s presidential election, and also fueled calls for her resignation from Colorado House Republicans.
Politics
Griswold says she won't resign after voting system passwords shared on website
Just days before the Nov. 5 election, the Libertarian Party of Colorado filed a lawsuit against Griswold in Denver District Court asking the court to order that Griswold recuse herself from overseeing the election and decommission any voting system device associated with the published passwords as well as allow for hand counts of votes in affected counties.
The petition was rejected by Denver District Court Judge Kandace Gerdes on Election Day, who argued that there was no evidence that Colorado’s voting system was compromised following the leaks.
In mid-November, Denver District Attorney Beth McCann announced her office had launched an investigation into the password leak, but would not divulge any additional details of the probe beyond confirming an open investigation.
The report issued seven recommendations for the Department to consider to minimize risk of any inadvertent disclosure in the future. They include the following:
1. Instituting a policy prohibiting the use of “hide” functions for highly sensitive or confidential information within documents.
2. Establishing a requirement that all passwords of any kind, whether they be individual user log-in credentials or password information such as the BIOS passwords, be kept only in a password safe unless an exception to that policy is granted in writing.
3. Requiring better training on the data protection features of the computer software programs used on a daily basis, such as Microsoft Excel and Word.
4. Updating the “Acceptable Use Computing Policy” (AUP) so the policy on the use of the password safe and the policy on creating and managing passwords are single stand-alone policies rather than policies contained at various places within the User ID and Password section of the AUP.
5. Requiring employees to review its AUP policy every year and sign that they have reviewed the document.
6. Creating a substantive review process for the Elections Division (and possibly other Divisions) for web requests involving posting documents to the Department website.
7. Reviewing the transition and exit processes for departing employees whose responsibilities involve handling sensitive or confidential information.
In a statement, Griswold said the department will commit to implementing all seven recommendations "as soon as practicable."
“The Department of State thanks Baird Quinn for their thorough review of this matter. We are committed to implementing their recommendations to ensure a situation like this never occurs again ” Griswold wrote.
___
Military Families Concerned As TRICARE To End Services With Children's Hospital Colorado
In the new year, military families covered by TRICARE insurance will need prior authorization for non-emergency services at Children's Hospital Colorado (Children's Colorado).
____
Watch KOAA News5 on your time, anytime with our free streaming app available for your Roku, FireTV, AppleTV and Android TV. Just search KOAA News5, download and start watching.