Voting system passwords were mistakenly put on the Colorado Secretary of State’s website for several months before being spotted and taken down, but the lapse did not pose an immediate threat to the upcoming election, said state election officials Tuesday.
The passwords were only one of two that are needed to access any component of Colorado’s voting systems, and are just one part of a layered security system, said Jack Todd, spokesperson for the the Secretary of State’s office, in a statement. The two passwords are “kept in separate places and held by different parties,” he said.
“This is not a security threat,” said Colorado Secretary of State Jena Griswold in an interview on 9News Tuesday evening. She said her office is investigating, that not all of the passwords in the spreadsheet were active and there is no reason to believe there’s been a security breach.
Griswold said workers are changing passwords, looking at access logs and chain of custody books.
She frequently calls Colorado the gold standard for election security, though there have been some hiccups in the past. The error has brought criticism from the chairman of the Colorado Republican Party at a time of heightened scrutiny of the country’s election systems, though U.S. elections remain remarkably reliable.
Colorado law requires that election equipment is surveilled and stored in secure rooms — access to which is guarded, tracked and logged. Colorado voters fill out paper ballots, which are audited after the election.
Election officials learned last week that the spreadsheet, which held the passwords in a hidden tab, was available online. Once the lapse was discovered, Todd said, they acted immediately and informed the U.S. Cybersecurity and Infrastructure Security Agency.
The executive director of the Colorado Clerks Association, Matt Crane, told 9News that while the lapse was concerning, the association was satisfied with the Colorado Secretary of State’s response.
Chairman of the Colorado GOP, Dave Williams, sent a letter to the department Tuesday demanding that, among other things, the secretary of state confirm that the exposed passwords have since been changed.
Earlier this month, a Colorado county clerk, Tina Peters, was sentenced to nine years behind bars for a data-breach scheme based in false claims about voting machine fraud in the 2020 presidential race.
Related: Election Day is Close, the Threat of Cyber Disruption is Real
Related: Cybersecurity Head Says There’s No Chance a Foreign Adversary Can Change US Election Results
Related: US Targets Russian Election Influence Operation With Charges, Sanctions, Domain Seizures
