The Oregon Driver and Motor Vehicle Services confirmed Thursday that an estimated 3.5 million driver’s license and identification card files were compromised when the agency was hacked two weeks ago.

Agency spokesperson Michelle Godfrey said Thursday that the agency realized on Monday that the breach had extended to about 90% of the state’s driver’s license and ID card files.

The Oregonian first made inquiries about the security breach on Wednesday; DMV officials took nearly a day to respond with answers. Godfrey said the agency planned to wait until Friday to go public because officials are still preparing agency employees for how to respond to Oregonians’ questions and concerns about how to protect themselves.

Godfrey advised the public to monitor credit reports for signs of fraudulent activity.

Godfrey said state officials became aware on June 1 that the agency’s system had been hacked. Two hours later, the systems were locked down, she said.

“But we didn’t have any information about what data may have been affected at that time,” she said. “It’s taken days of analysis” to determine that the hack compromised the state’s driver license and ID records.

“That took it to a whole new level,” she said.

After the news organization’s inquiry, the state Department of Transportation issued a press release saying the agency was among many organizations affected by the breach as a result of a “global hack of the data transfer software MOVEit Transfer.”

Sensitive personal information on millions of holders of driver’s licenses and ID cards were compromised, the agency said.

The agency has used the popular file sharing tool since 2015. On June 1, the Cybersecurity and Infrastructure Security Agency issued a zero-day vulnerability alert that said the software had a “vulnerability which could allow an attacker to ‘take over an affected system.’”

A third-party security specialist determined that multiple files had been accessed by unauthorized actors before the agency received the official alert.

“We do not have the ability to identify if any specific individual’s data has been breached,” the agency said in a statement. “Individuals who have an active Oregon ID or driver’s license should assume information related to that ID is part of this breach.”