Colorado voting system passwords exposed online due to investigation findings

In June 2024, passwords for Colorado's voting system were inadvertently posted on the Secretary of State's website due to a series of unforeseen events, according to an investigation by attorney Beth Doherty Quinn. The passwords, which were potentially active, were located in hidden tabs within a spreadsheet released online. This spreadsheet was meant to enhance transparency, as the previous format was a static PDF that did not allow manipulations. Upon discovery of the hidden tabs in late October, the investigation clarified that the employees involved had no knowledge of this software feature and acted without intent to compromise security. The investigator's report indicated that while no wrongdoing was found among Secretary of State Jena Griswold and her staff, two significant policies were violated in the handling of sensitive information. The incident arose from the transition of information presentation methods which led to the oversight of the hidden data. It was concluded that the practices in place for reviewing documents before posting online were insufficiently rigorous, and better precautions for password protection were needed to prevent future occurrences. Quinn recommended that all passwords used within the office should be stored securely using a dedicated software known as a "password safe." Additionally, she suggested implementing a detailed checklist for document reviews before their publication online. This checklist would prioritize the identification of hidden data and the removal of any metadata that could inadvertently disclose sensitive information. The findings have raised questions regarding the protocols in place at the Colorado Secretary of State’s office and whether these protocols adequately safeguard critical components of the election infrastructure. In response to the investigation, Griswold's spokesperson emphasized that the passwords did not pose a security threat to the state's voting systems. However, the uproar over the incident has highlighted the need for a reevaluation of security measures within the state's electoral process. The incident, although unintentional, underscores the significance of diligence in managing sensitive information in public offices tasked with upholding electoral integrity.