BUFFALO, N.Y. — As the investigation continues into last Friday's cybersecurity attack, parents of students in Buffalo Public Schools are left wondering how this happened.

What You Need To Know

  • BPS experienced a cybersecurity attack Friday
  • It canceled in-person and remote instruction on Monday
  • Parents are trying to figure out how this happened 
​​

"Those in the data security space always say to any organization, ‘it's not if it will be breached or compromised, the question is when,’" said Anna Mercado Clark, who leads Phillips Lytle’s Data Security & Privacy Practice team.

That when is now for Buffalo Public Schools as local, state, and federal law enforcement investigate a cybersecurity attack that shocked the district.

"This is bad, this is really bad. Did they not anticipate something of this magnitude happening?" Dion Jackson, a BPS parent, said.

District leaders say the breach happened Friday morning and their investigative team has identified findings related to its root cause and potential overall impact to BPS systems.

"Did they get any information, any social security numbers, phone numbers, addresses? Buffalo Public Schools has all of that information. I think that's the main thing that I'm concerned about. I want my kids back in school but I also want everything to be safe,” said Jasmine Hardy, a BPS parent.

Hardy has two children in Buffalo Public Schools and says her 6-year-old son was supposed to return to in-person learning Monday.

"His first time back in school in a whole year, my son has not been to school since last year and it's been killing us, both of them. It's hard on everybody, really bad. I'm just hoping they can get this fixed," she said.

Hardy tells Spectrum News remote learning has been tough on her children and she's frustrated the attack could prolong remote learning for them. Meanwhile, other parents are wondering if the district had a security system or network to prevent something like this from happening.

"It didn't surprise me that it happened, only because of the hiccups that they've had before where they had trouble getting the virtual learning off the ground to begin with. Any time you give people access to information like that, into a system like that, like the Buffalo Public School system, you would think that they would have security measures in place," Jackson said.

Jackson knows it's been a tough past 12 months, especially for students, and thinks the cyberattack can potentially only make things worse.

"Buffalo Public Schools dropped the ball,” he said. “It's just not fair to the kids because they are the ones that ultimately end up suffering."

Clark, who's also a partner at Phillips Lytle, reminds that preparation makes all the difference in these instances.

"That includes having a robust data protection program, policies in place, enforcement of those policies, constant communication and education of the users because really data protection should not be looked at a technology issue. It's really more of a human issue, a lot of the data breaches that you hear about really resulted from somebody clicking the wrong link on an email or using a password that's not secure,” she said.

The district says the lead investigative consultant and FBI have not determined there was an exposure of personally identifiable information. The investigation is expected to last for at least two more weeks.