BUFFALO, N.Y. (WIVB) — Buffalo Public Schools parents and teachers are receiving some alarming news about a cyber security breach two months ago.

School officials now confirm, it was a ransomware attack.

Based on notices Buffalo school officials are sending out to families, the cyber attack in March could affect the personal information of Buffalo teachers, parents, and even companies that do business with Buffalo Public Schools.

Officials now say, the cyber attack took place on the morning of Friday, March 12 but that is when it was discovered. Cyber security expert Dave Newell suspects, the malware was already hidden in the schools’ network well before that.

“It wasn’t just that they planted software that encrypted the data, it was that they spread throughout the network and took a lot of different data,” Newell said.

Classes were shut down for two days following the cyber attack, while parents and teachers pleaded with school officials for information.

Buffalo Teachers Federation President Phil Rumore says, “and then when it finally does come on Friday evening people started getting letters that don’t even have who the letter is from. It is not from the district, and they started calling BTF, what is this, is this a scam?”

In a letter to parents, Buffalo school officials referred to “vendor information” that might have been exposed in the security breach which would have come from accounting information.

But teachers received a letter form Kroll, a cyber security firm hired by the school district, telling them specifically employee data might have compromised, including Social Security numbers, direct deposit information from payroll, and their addresses, phone numbers, and emergency contacts.

“And what is more disturbing is that we have a feeling that there is a lot more information that is not included in that letter that we are probably going to discover,” Rumore added.

Law enforcement, including the FBI, is investigating the cyber attack. Buffalo Public Schools issued a brief statement confirming the data breach, and that Kroll would be providing free credit monitoring for a year.

The teachers union plans to sue, they are calling for the credit monitoring to be permanent.