The Colorado Department of State has been alerted to and confirmed the release of two hard drive images from Mesa County election servers by election conspiracy theorists. While the investigation is ongoing, it appears these hard drive images contain copies of the election management software that runs voting system equipment in Mesa County.

The Colorado Secretary of State alerted the Director of the U.S. Cyber Security and Infrastructure Security Agency (CISA), which is an agency within the U.S. Department of Homeland Security, of this aspect of Mesa County Clerk and Recorder’s Office security breach. CISA has confirmed that it does not view this breach as a significant heightening of the election risk landscape at this point.

One of the hard drive images is believed to have been taken May 23. New information acquired during the Department of State’s investigation reveals that the secure room where this election equipment is stored was accessed on the evening of Sunday May 23, 2021, outside of normal work hours, by the Mesa County Clerk Tina Peters; Gerald Wood, the unauthorized individual who attended the Mesa County trusted build; and another Mesa County Clerk and Recorder employee.

Under the authority outlined in the Colorado Election Code, with respect to the Secretary’s role as the Chief Election Officer for the State of Colorado and her duty to supervise the conduct of elections, the Secretary of State Jena Griswold is now determining who to appoint to supervise Mesa County Elections.

Colorado has layers of security measures, both preventative and for detection purposes.  This includes restricted access, chain-of-custody logs, equipment that is under lock and key, multiple sets of passwords or keys that no single person holds, and tamper evident seals. Colorado’s election system is also segmented, with each county having its own closed network and systems across counties are not connected to one another. Election systems have separate sets of passwords; one set is only held by a few specific civil servants with the Department of State and the other is held by the county officials. No one person has all the keys to the system, as there are several passwords that are kept separate and protected by separate parties. Should there be an internal security breach like the one that occurred in Mesa County, in addition to the safeguards outlined prior to an election, Colorado also requires security protocols such as bipartisan testing on election equipment like tabulation machines before and after elections, mail ballot signature verification, and bipartisan risk limiting audits.

Last week, Secretary Griswold prohibited Mesa County’s election equipment from further useColorado orders Mesa County to replace election machines after data breach. The Colorado Secretary of State’s Office will continue its investigation into Mesa County Clerk and Recorder’s Office and is fully cooperating with the investigation undergoing concurrently by the District Attorney of the 21st Judicial District