Ninety percent of Nevada state websites are back online nearly three weeks after a cyberattack shut down the state’s systems, Gov. Joe Lombardo said at a press conference Friday.

In remarks lasting slightly more than 20 minutes, Lombardo reiterated that there is no evidence that personal information had been compromised, instead saying that the state believes the attacker received information related to internal state systems. The roughly 10 percent of systems that remain down include the state’s sex offender registry — which The Indy reported last week was down — and the state’s background check database.

“The fact that [the background check database] is currently down means we won’t be able to determine [a person’s] criminal history or their ability to purchase a gun or own a gun through the federal guidelines,” Lombardo said. “It’s a matter of going through dotting the I’s and crossing the T’s within that particular system to ensure that we have success before we release its availability. I am confident that we will release that in short order.”

Other state services, including all Department of Motor Vehicles (DMV) services and the public notice website, are back online, Lombardo said. The page to log into the Access Nevada platform also appears to be working, but it may require a user to clear their cache and browsing history. However, a spokesperson for the Division of Social Services said that the portal to apply for public benefits remains unavailable.

Read More: A timeline of Nevada’s cyberattack recovery

It marked Lombardo’s third press conference since the attack. As in prior public remarks, Lombardo declined to comment on the technical nature of the attack because of its sensitivity. The state has disclosed that it was a ransomware incident and that certain state data was taken out of Nevada.

He provided more information on how the state is working to shore up its systems. On Tuesday, the state reset employee passwords without notice, which Lombardo called “a defensive control to cut off any compromised credentials.” He cited the importance of limiting public alerts about recovery efforts, citing that in the three days following his first press conference, the state defended about 150 million hits to its firewalls — a number far exceeding typical levels.

The state has also initiated stronger security measures, including stricter minimum password requirements and expanding multifactor authentication “so criminals cannot reuse the old login information that the employees used previously,” Lombardo said. The state has also started to reestablish remote access — which rural users often use — with multifactor authentication. 

In his most recent press conference last week, Lombardo said there was no evidence that the attack compromised data related to the state’s financial systems and DMV, which had been one of the hardest hit agencies. Lombardo also said last week that the attack did not compromise data related to Medicaid, the Supplemental Nutrition Assistance Program and Temporary Assistance for Needy Families. 

Updated on 9/12/25 at 2:35 p.m. to include details on the status of the Access Nevada platform, and on 9/12/25 at 2:55 p.m. to add a link to a timeline of recovery efforts.