By Joy Overbeck | Guest Commentary, Rocky Mountain Voice
Just a few days before the Nov. 5 election, Colorado voters learned that Democrat Secretary of State Jena Griswold’s office had posted critical election machine passwords online, passwords that could make hundreds of Dominion voting machines in most of the state’s 64 counties vulnerable to outside meddling.
Worse, Griswold had deliberately concealed this significant breach from the county clerks responsible for running the elections in their jurisdictions. As in most such government scandals, the cover-up debacle was more damaging than the original debacle. Or was it?
Immediately the hashtags #JailJena and #FreeTina started sprouting all over social media, referring to former Mesa County Clerk and Recorder Tina Peters, who is sitting in jail, slammed by a merciless judge with a nine-year prison sentence for trying to find out if her county’s elections had been compromised, which was her job. Griswold was quick to downplay the comparison, insisting in a local Channel 9 interview that “we don’t see this as a full security threat.”
Back in 2021, when Griswold accused Clerk Peters of exposing the critical BIOS (Basic Input/Output System) passwords — just as Griswold’s office did — the Secretary reacted by directing her operatives to swoop down on Mesa County, shut down and replace all the voting machines, and also replace Clerk Peters.
Channel 9’s Kyle Clark asked Griswold why she didn’t treat the statewide password leak the same, quoting the Secretary’s dire assessment back then: “The public disclosure of the BIOS passwords alone constitutes a serious breach of voting systems security protocols…” Amid a thicket of um’s and ah’s and sighs, Griswold responded that “we don’t see this as a full breach of voting systems security protocols…” because it takes two passwords to access a county’s voting system.
“That’s a bald-faced lie,” contends election security expert Clay Parikh who for 20 years has worked in the field for sensitive government entities like the Missile Defense Agency, and as a cyber expert witness in election court cases in Georgia, Colorado and elsewhere. “Any password is a serious security breach, but these were BIOS passwords that give you access to the actual hardware components where you can bypass any operational security. You can hire top notch people to come in and check these components and they won’t tell you 100 percent this is clean,” he says in a video explaining it.
When the leak was exposed, ironically by a press release from the Colorado Republican Party that had been clued in by a whistleblower, Griswold dispatched her fleet of fixers to Colorado’s counties on a mission to quickly change all their passwords. They checked the machine logs and Griswold proclaimed there was no evidence of possible intrusion by bad actors.
But, observes Parikh, there wouldn’t be any evidence if the intruder correctly entered the BIOS password that was posted on the Secretary of State’s website. Parikh explains he broke into the system simply by using a leaked BIOS password to create his own account. “I went to what I know to be the BIOS password, hit the system and removed the EMS admin password, clicked log-in with the EMS admin screen, and it logged me in with no password. I then accessed the election database and that’s how I got in and saw everything I needed to see.” He says anyone with a couple years of cyber election experience could do the same with the leaked passwords.
Parikh believes the two-password story is an excuse concocted to downplay the severity of the breach, and opines, “the likelihood that those passwords have been compromised and possibly used is high.”
Griswold concealed the massive password leak from the county clerks for months before the Nov. 5 election. When Kyle Clark asked if she had planned to ever tell the clerks or the public if the Colorado Republicans hadn’t outed the leaks on Oct. 24, 2024, she accused him of asking a gotcha question and never answered definitively. On Oct. 31, her deputy Christopher Beale held a conference call with irate county clerks, admitting he and Griswold had concealed the breach from the clerks out of fear of a media frenzy, which blew “Griswoldgate” all up even more.
Under pressure, Griswold hired a Denver law firm to investigate the central question of just how the top-secret passwords — that could enable breaking into hundreds of Colorado voting machines — got exposed on the Secretary of State’s website. Attorney-turned-cyber-sleuth Beth Doherty Quinn concluded in her 19-page report released on Dec. 8, 2024, that the password reveal resulted from a “series of inadvertent and unforeseen events” – isn’t that a children’s book title?
It seems a “former employee,” who is never named, decided that the state’s list of voting system components used by the counties, called the Voting Systems Inventory (VSI), that was posted on the Secretary of State’s website in PDF format, wasn’t transparent enough. And so, she migrated it to an Excel spreadsheet which exposed tabs that, when clicked, displayed the critical passwords. Full transparency at last!
This employee was hired as a Voting Systems Specialist in charge of the VSI in June of 2020 and on May 23, 2022, she created the new Excel spreadsheet in which the BIOS passwords could be viewed by virtually anyone who accessed the “hidden” but readily available tabs. Actually, the report found the passwords were also displayed on another part of the site, called the visible Inventory worksheet. Even more transparency!
This former employee told Quinn that she used the worksheets on the tabs like “scratch paper” that helped her clean up the inventory on the visible worksheet tabs, and to respond to inventory inquiries. She never told her fellow teammates about the hidden worksheet tabs, and they never discovered them, although “this file was used and reviewed by the whole Voting Systems team at various times” she revealed. In a further display of monumental incompetence, the staff specialists didn’t even know that the Excel function that informs the user if hidden worksheets exist in the document would have let them squelch the leak.
But if staff used the file, how could Ms. Quinn have decided that they didn’t know about the tabs that revealed the passwords, and were emotionally “devastated” when the Republican Party discovered the breach? By that time, the former employee was long gone, having resigned from the Secretary’s employ on May 19, 2023.
This person worked at the election office less than three years. Yet from her short tenure in the job, she created a huge potential danger to the voting systems of the entire state of Colorado by exposing the essential BIOS passwords to the eyes of foreign governments, ransom ware hackers and bad actors of every mercenary stripe and political persuasion. Who is this person and what are her allegiances and political connections? Since she posted the Excel worksheets with the BIOS tabs in May 2022, they were potentially visible for nearly two and a half years — until October 2024! We’ll likely never know if our elections were compromised and our votes changed.
It’s not at all clear whether the former employee’s action was deliberate or “accidental.” It’s very possible that she could be prosecuted for violating Colorado’s election law: C.R.S. § 1-13-708(2), which states:
“Any person who knowingly publishes or causes to be published passwords or other confidential information relating to a voting system shall immediately have their authorized access revoked and is guilty of a class 5 felony,” which can carry jail time and heavy fines.
And how liable is the Secretary herself for concealing the breach? Though Secretary Griswold is fond of claiming Colorado as the “gold standard” of fair and secure elections, she’s been having a real struggle selling that gold nugget mythology. This isn’t her first debacle, only her worst. In 2022, her office sent out notices to 30,000 noncitizens reminding them to register to vote, which of course is illegal for them to do. In the same year, the Secretary’s office sent reminder messages to citizens, encouraging them to vote when they had already done so, creating an epic mess for the county clerks to unscramble. And that same year she was re-elected.
The Colorado Republican Party is calling for both Griswold and her deputy Beale to resign. But Jena Griswold is reportedly preparing for her next political campaign in 2026 — as governor of Colorado.
Joy Overbeck is a Colorado journalist whose work has appeared at Townhall.com, The Washington Times, American Thinker, The Federalist, Complete Colorado, Rocky Mountain Voice, and elsewhere. Follow her on Facebook and on Twitter (X) @joyoverbeck1
Editor’s note: Opinions expressed in commentary pieces are those of the author and do not necessarily reflect the opinions of the management of the Rocky Mountain Voice, but even so we support the constitutional right of the author to express those opinions.