Partial passwords for election machines that were accidentally leaked on the Colorado secretary of state’s website pose no threat to the system’s security, the secretary’s office said in a statement on Tuesday night.
The passwords, which were exposed on a hidden tab in a spreadsheet online, were first revealed in a letter by Hope Scheppelman, the vice chair of the Colorado Republican Party. The passwords became visible when a user downloaded a voting systems inventory spreadsheet and clicked “unhide.”
According to an affidavit that accompanied Ms. Scheppelman’s letter, the passwords had been exposed since at least August.
But while the breach of password data is likely to erode confidence and invite disinformation in Colorado, there are multiple layers of security to protect the integrity of election machines in the state.
Election machines are not connected to the internet, and they are required to be kept in secure rooms that require ID badges for entry. They also have “24/7 video camera recording on all election equipment,” according to the secretary of state’s office.
Even if a person were to somehow gain access to a machine, the passwords revealed would not be sufficient.
“There are two unique passwords for every election equipment component, which are kept in separate places and held by different parties,” Jack Todd, a spokesman for the Colorado secretary of state, Jena Griswold, said in a statement. “Passwords can only be used with physical in-person access to a voting system.”
The statement also said the exposure would not affect how ballots are counted.
The department contacted the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security, whose officials told the office that they would monitor the situation.
A representative for the Department of Homeland Security did not respond to a request for comment on Tuesday night.
Chris Krebs, the former director of the security agency, said the breach of passwords “highlights the critical importance of the various compensating controls in place that protect our nation’s election systems.”
“While this is an extremely unfortunate leak that may serve to undermine confidence in some circles and feed into conspiracy theories in others, it nonetheless has negligible if any technical impact on Colorado’s systems,” Mr. Krebs added.
The breach of password data resonates in Colorado, a state where Tina Peters, an election official from Mesa County, concocted a brazen and bizarre breach of election machines after the 2020 election.
She was recently sentenced to nine years in federal prison for her scheme.
Source: Elections - nytimes.com