The Department of Homeland Security has notified two states that Russian hackers attempted to scan networks other than their election systems in the run-up to the 2016 presidential election, contrary to details provided last week.
On Wednesday, California became the second state — after Wisconsin — to receive the clarification.
California Secretary of State Alex Padilla said in a statement that homeland security officials told him the scanning activity took place on the state technology department's network and not on the Secretary of State website, as the state was told last week.
"Our notification from DHS last Friday was not only a year late, it also turned out to be bad information," Padilla said in a statement.
He said the public and officials who oversee elections "deserve timely and accurate information" from Homeland Security.
Last week, the department notified election officials in 21 states that their systems were targeted last year "by Russian government cyber actors seeking vulnerabilities and access to U.S. election infrastructure."
Most systems were not breached, and there is no evidence of actual tampering with voter registration databases or ballot tallies. In Illinois, however, hackers penetrated the voter registration network and spent three weeks rooting around before being discovered in July 2016. But officials said no information was changed.
Although the election systems in California and Wisconsin may not have been directly scanned, it does not mean hackers were not targeting them. Homeland Security spokesman Scott McConnell cautioned that "discussions of specific IP addresses do not provide a complete picture of potential targeting activity."
For instance, hackers could have been using the other state agencies or networks to provide an access point to eventually gain entrance to a state election system.
Several state election officials have expressed frustration that it took so long for Homeland Security to provide details on what happened in the months leading up to the presidential election.
Acting Secretary of Homeland Security Elaine Duke provided few specifics about the notification process during testimony Wednesday before the Senate Homeland Security and Governmental Affairs Committee.
Duke told senators that her department had notified an unspecified number of states about the attempts to hack their computer systems "back when the intrusion occurred." But she said that the agency did not tell all the appropriate officials at that time.
"What we learned from that and what we're correcting is that we notified the systems' owners, and that didn't necessarily notify the right senior officials that need to take action," she said, adding that the problem has since been corrected.
In California, the Secretary of State's office said it does not use the Department of Technology to provide IT services for its websites, internet-facing applications or the statewide voter registration database. In a statement, the technology department said its security systems worked as planned and that the "suspect activity" was blocked.
Meanwhile, Wisconsin's chief elections officer said Wednesday that he still doesn't know whether Homeland Security has provided the state with all available information about the hacking attempt.
The state was initially told that hackers had attempted to scan its internet-connected election infrastructure, likely seeking specific vulnerabilities to access voter registration databases. Days later, the Wisconsin Elections Board was told by Homeland Security officials that the scanning involved the state's Department of Workforce Development, which oversees job training and unemployment benefits.
The 21 states that told The Associated Press on Friday they had been targeted were: Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Florida, Illinois, Iowa, Maryland, Minnesota, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Texas, Virginia, Washington and Wisconsin.