¶ Intro / Opening
Recording in progress.
¶ Introduction
I clicked it this time, guys.
Yes, you did. Thank you, Mark.
On tonight's episode, we break down the latest cybersecurity reports from Clever And Cosin, discuss the updates on PowerSchool's breach, and interview Mark Kyerleber from The 74 about his latest expose on breach coaches. Thanks for listening.
Live from the NTP studios, this is the K-12 Tech Talk podcast. This is episode 201. We are beyond the hallmark, the, I don't know, big milestone episode of 200 with Tanya Haddix.
I'm still tired from it.
Tom Ryan and the guys from Pro and all sorts of people.
Your boy?
Your boy, Jackson?
Yeah, that's right. I think Mark was more excited than I was to see Tanya based on the replay of the video that I've watched about 10 times. no no.
No i was excited more to see josh's face you were speechless
Yeah i wasn't speechless i wasn't speechless uh so let's see it's uh we're post super bowl two mark did you did yeah how'd.
That go for you guys how'd that go
I it's fine i didn't want kids it was.
A terrible game to watch
Yeah yeah do you guys in boston celebrate the super bowl with the patriots not in it anymore it's.
Fun to watch the game
Since you cheated all those years um i.
Thought the commercials sucked by the way
I like the pringle commercial with the mustaches flying around i thought that was funny and then i i the google commercial almost made me cry no.
Maybe just because you want the pixel
No it was like a tugging at the heartstrings commercial Google fanboy whatever I mean, I'm not gonna alienate half the audience here but just say the two of us have pixel phones let's just leave it at that it'd.
Be interesting to figure out like of our audience what's the breakdown between Android and iPhone users
It's.
Yeah.
I'm going to refrain from making jokes because, like I said, I don't want to alienate our listening audience.
But, Josh, how do you feel about Microsoft?
Necessary evil.
Okay. Okay.
That's a good answer. Yeah.
How about Teams?
Team. That's where I was like, where is this going? Team sucks. Any what's what's going on? Chris, you want to hit our first sponsor class link while we're at it real quick?
Yeah, ClassLink. We've said this before. There's just ed tech tools all over the place. They've tripled in the last three years, basically. All this technology makes new challenges for us. So the first start of getting a good handle on that is with something like an SSO that ClassLink can do for you. Something like rostering that ClassLink can do for you.
Security is a pretty big deal. multi-factor authentication even with your students is something that we talk about to move towards anyway class link i can help you with all that so check out class link at classlink.com
Mark when you were in the classroom did you did we did your school district have chromebooks at the time for student use no.
They hadn't oh this is gonna date me they weren't even invented.
Cardboard.
Okay. I was going to say, do you have any firsthand stories of manually rostering, uh, class rosters into an ed tech application before services like class link would automatically roster that information for you from your sis?
Um, so when I taught it was, I mean, honestly it was, it was to think about it was like 2012, I think was last time I was in the class 2011 and there really wasn't a lot of applications that were geared towards one-to-one because you know that was that really was just on the edge yeah so you weren't really rostering applications in fact i don't really remember too many things where my students had to even log in god i'm old whatever
I'm older than you.
Yeah you're old i
Am old i'm losing my hair and going gray uh yeah so that rostering feature makes a huge difference from a classroom side of things and interoperability. So yeah, check out ClassLink. Mark, you have – well, first, should we tease the interview that we have at
¶ The 74: ”Hired Guns”
the end of the episode here?
Yeah. So one of the articles from the news today was from The 74. They're a journalistic publication that simply just goes about education. And they published an article called Kept in the Dark, Meet the Hired Guns Who Ensure School Cyberattacks Stay Hidden. It's a fascinating article. I definitely recommend you look at it and read it. And there's a whole lot of links to additional information, additional articles, but it's all about the people who school districts hire to manage a breach.
And some of their motivations are may not necessarily be in the best interest of the public. And the balance between keeping these things private and secure or confidential versus letting the public know exactly what happened. And so we interviewed the the author of that one, Mark Kyer Lieber, and that will come up the end of this article or the end of this episode.
If you want to stay tuned for that one, gentlemen, without spoiling the interview, any thoughts on on this particular article or this idea of hiring a breach coach?
I always have thoughts.
Really? It's going to spoil it, though.
Probably. No, I'll try not to. Um, we want our listeners to draw their own conclusion from the interview, but it, there are recurring themes that we have heard, um, time and time again, when we interview places that have been hit with a, an incident or a breach that the second they call their insurance company and they are told to contact one of these breach coach companies or these breach response companies, they are handing over control of the network and all decision-making
to these breach coaches. It just confirms everything that we've heard from all the interviews that we've done and it I think I told you guys multiple times last night it just does not make me feel good like that is not a situation where, I'm a control freak. My network is my network. And if I'm going to hand over the keys, it's boy, that's not going to be a pleasant experience for me.
I still remember. And I mean, just flashback to it when there was a neighboring school district to me that we do something bad was happening to them. The tech was communicating that out to all the other techs in the area. You know, we're kind of get the play by play. We were being there for that person. And then the button got pressed. And everything went silent and your colleague went silent, you know, per the attorney, per his boss, all that kind of thing.
And even like time passed, months passed, and we never like heard like report letter. We never heard like what happened. Yeah. This article unpacks that, this interview unpacks that. And you kind of want to fault the person and be aggravated with the person. But then again, like you're saying, Josh, if you're just doing what is the best right thing to do, that's what you're doing. But that could mean giving up control.
Well, and the other issue that I take with not necessarily the article, but some of the non-experienced person could draw a conclusion that districts, when they engage these breach coaches or these forensic companies, they are taking advantage of the secrecy and the attorney-client privilege that takes place there and not being forthright with parents and staff and students. And unfortunately, I think that's a little bit of the light that could be painted on districts that go through this, too.
And that is completely irresponsible and inappropriate thought. That's a little irritating to me.
Well, not to pivot, but this is a perfect segue. Pivot! Our next article is an update on PowerSchool, which, speaking of organizations that have gone silent after a breach, We have heard barely a peep from PowerSchool since this whole issue.
¶ PowerSchool Breach Update
And you'll hear in our interview with Mark, we drew a few conclusions around PowerSchool. We're very complimentary of PowerSchool, debating that they're very open and honest. And suddenly they've gone crazy. You know, in comparison, they've gone very quiet. Well, NBC just released their first publication, more national publication about what's going on here.
And they did attain some information behind the scenes, including either the CrowdStrike report or maybe a portion of the CrowdStrike report that does confirm PowerSchool did not have MFA on this account.
And so that was something we had talked about was there mfa or not was it insufficient uh it appears uh from from internal information that that power school did unfortunately have and i'm going to say the whole sentence because this is how painful it is they had an account that had access to export data from every single client that was in the hands of a subcontractor and not protected by mfa hey yeah that's the latest unfortunately not much new
news on power school but that's the latest from nbc it
Is funny not funny so we did that power school breach yeah special section on k12 tech pro and we have time stamps on things and it's like whenever that was like back to like the beginning of january it's like every single day we're posting information because information is coming out. And then there's a hard stop and then the crickets begin.
Yeah.
And you know, was that the day they fit? They figure out the MFA thing. Like they're like, Oh, Oh, we don't have MFA. Quit talking. Right. Quit talking.
Shut up. Shut up. Everybody shut up.
They had promised to have the, that, um, CrowdStrike report. They had somebody released that one pager from CrowdStrike that was like super vague. And yeah, really rehashing information that was already released, but there hasn't been anything else come out, right, Mark? No, no, no.
We are over a month now from when it first happened, and I think it was about...
From the weekend they said it would be released.
Yeah, that CrowdStrike article that you're referring to, the interim fact sheet, that was January 17th.
Yeah. Talk about breach coaches, I guess. Yeah, that's the latest.
¶ COSN Cybersecurity Briefing
Next up, though, related to cybersecurity, COSEN released their annual state and federal cybersecurity policy and education briefing, which we're not going to get into current events. I know there's a lot to talk about when it comes to federal education policy.
No.
But this is a good one. This is more about a deep dive into what's going on at the state level and what are states passing for policies. It's a very, very long and in-depth report. It's about 30 pages or so and actually goes state by state. But COSIN kind of highlights there's five main themes that they're either seeing or they want us, they want state legislators to focus on. So the first is comprehensive cybersecurity education programs, which is great.
I'm starting to see some of those things in my own state, in Massachusetts, and we're starting to see more and more states boost cybersecurity education programs, both for the people that are doing the work as well as for students. The second category is cybersecurity grant programs, which we've talked about a million times on this show with all the grant funds that are going out there.
They've all been paused.
The third category is instant reporting and response. So supporting districts and towns and building their incident response and reporting mechanisms. Fourth is public-private partnerships. And the fifth is AI and cybersecurity integration. So those are the policy recommendations from COSIN.
Was there a policy about nominating a national cyber director that has no experience, or was that skipped?
Hey, keep your politics out of here.
Yeah.
I'm going to ring the wrestling bell on that one.
Ding, ding, ding. No, that's the Department of Education, Mark. So the thing that I— Hey, hey. It would be ridiculous if it wasn't true. Um, so the, the thing that I, that I liked about that COSIN report, Mark, was that you could drill down to, um, state level and see the activity that was taking place.
Or lack of.
Or lack of Missouri, um, taking place at a state level, either pending, uh, laws that are, that are getting floated or laws that have taken effect in the last couple of years. Um, you know, the, the big state really, uh, Ohio is kind of a trailblazer in the cyber responsibility law realm with the, there are, uh, reasonable cybersecurity, uh, steps.
Uh, there's a couple others that are following suit. Uh, and if, if you're looking at trying to get that started in your state or asking your legislature to look at that, Ohio's laws are, uh, pretty darn good. They're, they're kind of the benchmark at this point. So if you're interested, take a look.
I'm impressed. I think one of the more, I guess you could say explosive ones in here is from Tennessee, which the proposed law prohibits state entities from contracting with or negotiating with system hackers. In other words, your system has been taken over, no more negotiation and also no pain.
And how does that work with an insurance company that's more than willing to pay? and does that on the shady side of things?
Oh, you just found the loophole in Tennessee here. That's a great question.
Say that again.
So if Tennessee passes this law that says a state entity or a governmental entity cannot pay or we don't negotiate with bad guys, how does that work with your insurance company, Is going to work with a shadow broker who is going to take payment from the insurance company, turn it into Bitcoin, give it to the shadow broker who's going to wash it and hand it off to the bad guy. Like, that's how this happens. That's how this works.
It's a great question. This is, and I'm just looking at the headline from Cozen's report. This is about blocking and prohibiting state entities from contacting, contracting and negotiating and paying hackers. I don't know if that extends to their insurance companies.
Yeah. that's that's the intro and again we kind of touch on that in this interview with with um mark from from the 74 uh coming up at the end of this episode but that again that's one of those things that just gives me a gross feeling yeah um i don't know chris why don't you talk about safer watch real quick not.
Gross is safer watch go to saferwatchapp.com they put school safety all into one app. If you're not familiar with Safety Watch, check them out. So they can do anonymous.
Safer Watch.
Safer Watch. What'd I say?
Safety Watch.
Oh boy. Safer Watch. Anonymous tip reporting, threat reporting, incident management, drill tracking, threat assessment. They can do your panic alerts, mass notification, reunification, and more. And it's pretty cool because their app is slick. So check out SaferWatchApp.com.
¶ Clever’s Cyber Secure Report
All right and finally uh another report from an organization we've talked about clever's cyber secure 2025 report this is a pretty in-depth report on some of the different trends they talk with their customers talk with education experts and technology experts on what are the trends going on right now and they've got some key findings here so let's go through this real quickly 90 percent of uh teachers have mfa enabled that's an incredible statistic that 90% of teachers have MFA
currently in place. 95% of IT staff, which should be 100.
Yeah, that's concerning.
But yes, that's...
Power school. It's probably just power school employees.
So, 90-95%, that's an incredible metric. Can you guess what percentage of students have MFA enabled?
Less than 10.
Yeah.
Correct. 5% of students have MFA enabled. And to go along with that, 1 in four school districts are experiencing an increase in cyber attacks, specifically targeting student accounts. So we're seeing that's a tremendous percentage of school districts, but only 5% have MFA enabled. And they're also 70% of administrators believe that AI is increasing their cybersecurity risk.
I know I've seen phishing attacks that were very, very clearly generated through AI and they are a whole lot more deadly and dangerous because all those common things, the spelling mistakes, the grammar mistakes, they're not there. So that's a scary thing to think about. And it's very simple to do.
I know Clever says that 90% of, I'm sure it's 90% of the schools they've surveyed have faculty turned on an MFA. Every once in a while, I will still hear an anecdotal story from either, you know, leadership in my district or a teacher or another tech director in a different part of the state that says, oh, you would be shocked at this huge district that doesn't enforce or require MFA. I don't understand how that is still happening right now.
So that's a great question. I think when you look at that, what's the 10% of teachers? Where are they? I know in certain districts, especially the larger districts where you have much stronger teachers unions, it's harder to roll at MFA. I was very lucky. I have a very supportive and helpful teachers union who recognized the importance of this. They wanted to make sure we did it right, but they didn't block us from doing
it. But I have talked to some of my colleagues in other large districts where that's the hardest part of getting it through. So I think some of the numbers could be these larger districts. I think overall your numbers might even decrease if you start looking at the schools that are not engaged with companies like Cleveland. They're not responding to these surveys.
You know what? That's another great conversation I had this week about, you know, is State Department of Education in Missouri, Are they setting superintendents up for failure by not helping them understand the priorities of technology? Like, you know, you think of outstate Missouri, very, very rural, small districts. They have a very difficult time recruiting IT staff. Is the Department of Education helping those superintendents in those districts, one, recruit qualified staff?
Two, helping them understand what that IT staff is saying when they come to them and say, we need to do MFA and, you know, maybe can't justify, but give a couple decent reasons besides our insurance carriers requiring it. But I really think, at least in Missouri, the Department of Education could do a much better job at telling superintendents or helping superintendents understand that technology talk or that technology priority. I don't know how to explain it.
Um, even rostering and SSO, they had their roots coming from tech department. Like we're the ones that evangelized, Hey, we can go to this SSO thing or how you can start doing rostering. Uh, but if you told the other side, like the superintendent, well, or the principal, well, or the teachers, well, on what that looks like when it's automated, they would, they would be, you know, yelling from the rooftops for it.
But so then you take the small schools or the rural schools that don't have the tech departments pushing for it. Yeah, they're not going to whatever MFA is,
You know, or even even a focus on data privacy agreements. Like, I'm super thankful that I have an extremely supportive central office and principals that allow me to be very hard on DPAs. Yeah. There are superintendents in Missouri that don't even know what that is. They don't know the responsibility of the district to keep that data private and what happens during a breach. Yeah, but I don't know what the solution is, really.
I don't know what's going to move the needle with superintendents and that buy-in.
I think there's just a natural progression is more and more districts. You get to 90, 95% with MFA rolled out. that last five or 10% is going, well, wait a minute. Okay. I guess we can't wait any longer. That peer pressure definitely works with school districts.
The other thing though, that I think it's a very, very hard number to calculate, but just because you have MFA maybe on your Google or Office 365 account does not mean that all of your applications are enabled with single sign-on either through Clever or through your identity provider. And so you have a number of these districts that are at 90%, 95% of employees have MFA turned on, but the applications and all the data, it's not single sign-ons, so it's a moot point.
Well, they might have it turned on their Google accounts or their Office 365 account, but not have it turned on on their Infinite Campus or PowerSchool account.
Didn't I just say that?
No. You said they're not SSOing.
Okay yeah we we've had banter uh when we do those whatever in our area tech meetings and all the all the techs together and you ask like well who's doing who's doing mfa and everybody raises hand and then you're like oh you're only talking about google right yeah but in some people's minds like just because they do google they they and even to their insurance company they're reporting that they're doing uh mfa well
can you define that a little bit more because yeah you pick one thing of the many things yeah
Yeah they it's almost like they need to turn on sso, Get it? See what I did there?
Got that. Well, anyways, the Clever Report. Clever Report's great. They go through a lot of different other metrics and even talk about parent accounts and some more on student accounts. And obviously address the elephant in the room, which is that cell phone bans are taking effect. So you start to look for.
COSA needs to update their document. That is some legislative action that the state of Missouri is taking is going to ban cell phones in classrooms. Yeah. All right.
So that's it for the news. We obviously talked at the beginning.
¶ Interview with Mark Keierleber
We talked about the 74 report, which we'll go into more in depth through this interview.
We have a Fortinet vulnerability.
Yeah, Josh was making a face at you, Mark. I don't know if you were catching that.
He was cutting me off.
But Josh is not finished with the news.
I'm not done, Mark. Fortinet disclosed another firewall authentication.
By the way, before Josh says anything negative about Fortinet, they are a proud sponsor of the K-12 Tech Talk podcast, and we appreciate their transparency. Email FortinetPodcast at Fortinet.com.
Yes. In their transparency, they have said that they found another authentication bypass. It was patched in January. I think the Forte OS version that you need to be running is 7.2.10 or greater. Oh, no, this is 7.2.13 or greater. So if you're running something less than that, you need to get patched.
Got to keep it. I want to say separated. What would be a patch?
Got to keep it. Separated.
Got to keep a patch.
You want to talk about our final two sponsors, Chris, before we hit this interview?
Two in a row?
Well, what are you going to... I mean, you can...
Well, I do want to talk about Managed Methods. Managedmethods.com. If you reach out to them, if you get a demo from them, make sure you talk about K12 Tech Talk. They can provide you with affordable cybersecurity, student safety monitoring, and more. And they can do that pretty much on whatever your budget is. They have a classroom manager and content filter as well. And then let's talk about Visor, V-I-Z-O-R. It's a great time to look at Visor, especially, I just mentioned budget.
If your budget is tight right now, you are halfway through your school year. Visor's help desk is now included with Visor's standard addition at no additional cost. They can do your help desk without a particular limit on the number of agents. So they can work with small, medium, large size school districts. And they have this low cost addition to called Essentials. If you're a school that only wants their asset management.
So they can do your check in, your check out, your Google admin integration, inventory management and all that stuff. If you check them out, you will get a free K-12 Tech Talk hoodie. So go to visor.cloud slash K-12 Tech Talk. That's visor, V-I-Z-O-R dot cloud slash K-12 Tech Talk.
Do you want to announce the winner?
Oh, boy, do I want to announce the winner. So we did episode 200. We had the K-12 Tech Pro crew on there and pretty cool. So Chromebook Parts is hanging out with us for 2025. If you're not on K-12 Tech Pro, you should be. We hit 1,000 members pretty much in sync with our 200th episode, which is pretty cool. We're in every state and beyond. But Chromebook Parts is working with us. So you can get discounted parts from them. And then we partnered with Wise Certification.
So if you're a Chromebook tech, you fix Chromebooks. If you're a Pro member, you can take that Wise Certification at a discounted rate. But Chromebook Parts, they gave away 200 toolkits. If you're listening to this and Hayden, the new guy, emailed you back and said, got it. That means I think they said it's probably going to be about a month, but they'll be shipping out. So congrats to that if you got an email back from us. But with that, they're giving away $1,000 in repairs.
And we have our winner. Uh, and, uh, I'm going to reach out to this person after the show, but it is a listener Ian with the shout out, uh, listener Ian. If you're listening and your name is Ian, you might be the only Ian that's listening. Uh, check your email, uh, because you won a thousand bucks for your school district.
Well, according to our statistics, we have 34 Ian's. Oh my God.
So all of them are really excited right now.
Yeah. So you're going to, you're going to disappoint 33 Ian's. Yeah.
All right. Moving into the main topic, this is our interview with Mark. We are here with Mark Keierlieber, who is a reporter from the 74. And he has just finished a pretty explosive piece on cyber breaches in K-12 school districts, which we're going to talk about the details of it. And it was a collaboration between the 74 and Wired. And the article, which we'll link in the show notes, is it's a pretty incredible article, both the content that's in the article and even just the format of it.
I really loved how interactive it was, and you can click through it. So we'll give you a summary of the article, but I definitely recommend taking a look at the article when you're done with this. So Mark, tell us about yourself and what got you to this subject.
Hey, thanks so much for having me on. I really appreciate the opportunity to talk about this. I'm a reporter at The 74. It's a national K-12 education news website where I write about issues related to school safety and security. Historically, that has included physical safety related to school shootings, but certainly that also includes, in the current environment, more and more so safety online. And how I approach this topic is looking at it through the lens of students' civil rights, right?
So how do the decisions that educators make about school safety or school security affects students' everyday lives. And I actually really got interested in the ransomware topic specifically a few years ago after a cyber attack, ransomware attack on the Los Angeles Unified School District.
It's the second largest school district in the country. And I had been listening to a press conference with the superintendent and he said, Any reports from law enforcement, from a law enforcement source, that the breach documents had included students' psychological evaluations was incorrect. And I thought that was a little bit odd. You know, we've got these law enforcement sources telling the press that really extensive psychiatric information about students is on the dark web.
And you've got the leader of the second largest school district in the country saying that's not true. Well, my first instinct was, let's get on the dark web and let's figure this out. And so that's what I did. I taught myself with the help of some smart folks in this space to start tracking the behaviors of these different ransomware gangs that are increasingly targeting schools and to actually analyze the kind of data that they're leaking.
And the first finding was, didn't psychological evaluations are on the dark web, living perhaps indefinitely on a leaked site from a ransomware gang known as Vice Society. And when I started downloading and looking at these files, I was frankly quite shocked at how expensive they were because they include the entire life history of students and the adverse childhood experiences that they may have, the disabilities that they have, the accommodations that they need for those disabilities.
And that kind of set the stage for the story about, hey, you know, we often think about, You know, data breaches as being our social security numbers and our credit cards and data that might be used for, you know, typical forms of cybercrime like fraud. But the data that I was seeing was far more expensive than that and far more personal, right? things that are, you know, central to kids' lives that are going to follow them for the rest of their lives, right? That don't change.
Like a credit card number, you can change that. But the fact that you were a victim of child abuse is something that can't be changed. And having that kind of information on the internet available, especially with the rise of AI and dark web monitoring, et cetera, I just saw that as being something worthy of exploring. And so for a long time, more than a year, I went down what I call the rabbit hole, right?
And just really started tracking the behaviors of the ransomware gangs, going on leaked sites when new schools popped up and trying to learn as much about all of these different ransomware or cyber attacks, not all of them are ransomware, but all of these different cyber attacks as I could.
And I found that it was really quite difficult to learn about a lot of what had happened. And Sometimes I would learn about a cyber attack through a disclosure with the Maine Attorney General's office, even though the school itself was based in California. And that became one way that myself and other researchers who have been diving into data breaches really started digging into the scale, right? Is, hey, we have to actually go to other states to learn about cyber attacks.
Maine, for example, requires a public disclosure if a single Maine residence information, certain specific information, right, like social security numbers were exposed online. Other states like New York, for example, they don't have that kind of public disclosure. Just talking with sources in the field and learning as much as I could about it, I really became interested in the role of these breach coaches and the insurance companies that really come in to lead the response.
And part of that comes back to, here I am trying to get information about these attacks, and I'm filing public records requests, and a lot of these are coming back. Well, we actually can't tell you that because that's subject to attorney-client privilege. Or I'll be tracking another cyber attack, and the public statement will say, well, there's this ongoing investigation, and so we can't really talk about it.
And what I later learned is that oftentimes that investigation is not a criminal investigation, but actually one that's being conducted by these breach coaches, these lawyers who are hired by school districts.
We've done a number of ransomware interviews with districts that have been hit with ransomware here on the show. And one of the things, one of the recurring topics that come up during that is, you know, they realize they've got a problem. They figured out that they need to engage their insurance company and have a cyber response of some sort. That means bringing in someone from the outside and ultimately ends up being these cyber coaches or these breach response companies.
Unfortunately, the common theme is once that happens, the district, one, loses all ability to make decisions about their network and the response. It's 100% on this breach response company to make those decisions. And two, they are told that they can no longer talk about this with anyone outside, including any sort of law enforcement at a state local level, as well as a federal level, like if they wanted to engage the FBI.
All of those communications have to take place through the cyber response company. Is that something that you saw as a trend in your digging as well? Yeah.
Absolutely. So after a cyber attack is identified by a school district, they call up their insurance providers or sometimes they call up the breach coach first, depending on their incident response plan. And at that point, it is the job of this breach coach, who's a lawyer, to make these notifications to law enforcement in some cases, to hire forensics experts to analyze and determine, you know, the cause of the attack and to negotiate with the threat actors.
Vendors that pay cyber attackers in Bitcoin. And then, you know, mailing centers to mail the state mandated breach notices. All of these different, these pieces come together under the breach coach. And that's by design. It's about attorney client privilege, pretty explicitly so, right? The idea is that when an incident happens, any action that a school leader takes becomes the subject of public records. And frankly, that's how I got some information, right? The public records requests.
But the idea being, hey, we need to get in lawyers ASAP so that any kind of action that we take can be, you know, covered by a shield under, you know, the idea of a trained client privilege. Oftentimes, you know, that's discussed through the lens of ensuring that cyber criminals don't have access to that kind of information.
Hey, we're trying to keep the institution safe. But there's pretty explicitly, you know, an effort to at least ultimately these lawyers, right, their job is to protect their clients. And their clients are the school districts and the insurance companies who could be the subject of class action data breach lawsuits or regulatory proceedings.
Uh, and, and so that's, I, I mean, I guess that's the first and foremost, um, role of the breach coach is to protect their client from any kind of adverse effects. And that's the route that a lot of schools are taking is, Hey, you know, in the immediate aftermath of a breach, uh, we need to, we need to be thinking about ways that, uh, you know, we're minimizing damage.
Do you see these breach coaches, um, um, leaning more towards paying the ransom than not paying the ransom. Apparently, that seems to be more of a trend recently. If the threat actor pinky promises not to release the data, then we'll go ahead and pay. I mean, the power school thing comes to mind, and we've heard of a couple other districts doing that locally, where it seems like the breach coach is predisposed to wanting to pay the threat actor.
Did you come across that at all, or have you made that assumption?
So what motivates a school district to pay, I have found to be somewhat complicated. Though what I have been told by breach coaches directly is that oftentimes what's motivating a decision to pay is a need to get up and moving quickly. So in the event of a cyber attack, a ransomware attack, the threat actor will lock down a school district's computer network, and they can't get into it.
And they have to cancel classes for the day. And you've got these parents that are relying on schools as child care. And, hey, now what are we going to do? And there's a lot of disruptions that take place as a result of having to shut down schools. And so educators, first and foremost, think, well, what can we do to get back in the business? And in this case, it's the business of educating kids. And so from my understanding, that is a large motivator in why any entity is going to pay.
It's not necessarily about maybe the extent of the data that a threat actor might have or the nature of the data that they might have, but really just about, you know, getting back in the systems.
So it's so hard to think about or to not think about parallels to, you know, the PowerSchool breach, which has hit so many districts right now. And, you know, one of the things that we noticed is very, very early on, PowerSchool came out, led a webinar. I was extremely transparent and suddenly it just got quiet shortly thereafter.
Do you believe that, you know, we don't know what's going on behind the scenes of PowerSchool, but, you know, should we draw a parallel to what we're seeing with breach coaches? Do you think that these breach coaches are trying to protect the financial interest of the district and say, look, the more you talk, the more you're opening yourself up to lawsuits and issues? Or is this more about trying to control the message because in the middle of negotiation with the threat actor?
Yeah, that's a great question. And in the immediate aftermath of a cyber attack, That is what an institution says right off the bat, right, more often than not, is, well, we really can't say much right now because we're, you know, we're still negotiating with threat actors. And they don't usually say that explicitly, right, that they're in those negotiations, but that this is an active issue, a pending investigation.
And there is a reluctance to say much early on because threat actors have used school districts and other entities' public statements as part of their strategy, right? So if a school district says something early on, the threat actor might pick up on that and alter their plan. Or in some cases, if a school district does say something that might not be fully accurate, the threat actor might mock them for it. And that probably doesn't look very good.
However, what we're talking about in a lot of these cases is obfuscation for months or more than a year. and In many cases, like in Los Angeles, we're talking about a case where a school leader has already said, hey, we have no plans of engaging, negotiating with terrorists, as a quote from the superintendent of LA is we're not going to negotiate with terrorists.
And Doug Levin mentioned, you know, has a response to that in my article where it's like, okay, well, if you've already said, hey, we're not going to negotiate with a threat actors, then the negotiation is over. You know, you need to come clean.
So the three of us work in school districts. What is your experience for a school district who's saying, I don't know how to negotiate with terrorists. I don't know how to do anything that you're saying. I don't know how to respond. I don't know how to pay in Bitcoin. I need to depend on these reach coaches and my insurance company. What should school districts do when engaging with these companies to kind of stop this pattern of obfuscation, as you described?
Right. I mean, it's a great question because school districts, as we know, are up against a really big challenge. Sometimes we're talking about cyber criminals who are foreign state actors. And, you know, sometimes they're sophisticated cybertechs, sometimes their sophistication is less so, but schools more or less not, you know, staffing an IT department like some Fortune 500 company.
And they don't have the IT department of some big major enterprise, even though they have the data of, you know, a big major enterprise. And that does put schools in a serious bind. Well, who do you call when this happens? I've heard from numerous school leaders saying, hey, we would love to call federal law enforcement.
In fact, they did call federal law enforcement, but There was little that the police could really do beyond, hey, you know, write down your name, look into it, and maybe some of these cyber attackers will be arrested. Some of them have, right, in the last few months. But, yeah, you're right. Schools feel, leaders feel like they need to turn somewhere.
And if they have insurance, they actually have to turn to insurance quickly because their policies outline, you know, a timeline for how quickly they have to notify them if they ever want to get covered. And, you know, if you're spending a lot of money on cybersecurity insurance and you get, you know, a cyber attack, you certainly should be taking advantage of the services that you've paid for.
I would imagine that a community would be pretty frustrated if you spent a big bucks on this policy and didn't then take the steps that are outlined in it. And that might open you up to a new lawsuit. It's a tough question because I'm not sure I have a great answer of what a school leader should do because you're right. They're in a box.
Well, and I think it speaks to the bigger problem because, one, it is an insurance policy or the majority are insurance policies. And the insurance company is therefore telling you what to do. And if you directly go against their device or don't listen to them, the insurance company is going to say, guess what, bud? We're not paying now. You didn't follow our device. You went and talked to local media or you went with a response company that was not on our approved list.
You didn't follow our advice. You've waived the policy. We're not paying. Now you're on the hook for taking care of all the breach notification, taking care of, if it needs to happen, the credit monitoring for 4,000 people, that kind of thing. So from that perspective, the district is kind of in a bind because, one, you're being held hostage, you've been attacked, and now you're, I don't want to say you're being held hostage by your insurance company, but you kind of are.
I mean, they're telling you very prescriptive steps that you must take to be covered and have this paid for. I see that's where the problem comes in.
You make a really interesting point about um coverage of different services too keep in mind that these um uh insurance companies actually maintain lists of approved vendors, right? So, hey, if you are insured by company X and you're the victim of a ransomware attack, here are the two breach coach companies that you can choose from, pick one. Here are the different forensics companies that you can pick from, pick one.
I've seen instances where schools actually wanted to pick One response company and the insurer actually came back and said, well, you can do that, but that's not on our approved vendor list. And as a result, you'll see less coverage. So we'll cover $50,000 making this number up. But we'll cover $50,000 in services if it comes from a vendor on our approved list, but only $25,000 if you pick it yourself.
I've kind of seen hearing hearing these stories from these interviews that we've done, reading articles like yours, the two articles that have been published recently. I've gotten a view of these breach responses or these breach coaches in a negative view, almost almost not as bad as the person doing the attack, because that's despicable and horrible. you're attacking a school.
But I don't know, the fact that they go out of their way and stay within the bounds of the law in these guardrails of the law, because that's their job, but they try to keep it quiet and hidden as long as possible. Like, you know, the examples in your article, 18 months down the road, there is breach notifications going out because they've been able to keep it under wraps that long. I don't know. It just, it puts a, it puts them in a bad light for me for some reason. Yeah, you got.
Bad guy hacker on one side. And then over here, you have ethics and some different things that you're battling. And again, what you said at the beginning, it's all about the student. We're trying to do what's best for the kid. Those are... Neither of those are good. You're not making two marks. One, having two marks on one Zoom call doesn't make me feel good, but that doesn't make you feel good about either side.
I think as a tech department or even as district administration, you're just kind of feeling lost in it because you don't know who's the good. Yeah, you're battling two bad things.
Your district is going to want to do the right thing for their people. And if those people are the students and parents or those people are your employees, depending on whose data is taken or, at risk here, you want to be transparent with those people. And if you have a quarterback telling you, you can't talk about this for 18 months, that's not a good feeling or that's not a good position to put a superintendent or an IT director in.
Because if it were to happen to me, I would want to reassure people, look, we're doing everything we can. We know the scope is this. These are the steps that we're going to take to protect this and make sure that this is right. But if you're being gagged and you can't say that, that, I don't know, that would. You're the water boy and.
There's no water. It's like, I don't know.
Right.
Ready to go. Oh, there's no water. OK, I'll just sit here.
You know, but, you know, looking at this just momentarily from a breach coach's perspective, You know, I had one breach coach said, hey, schools are not in the position to guess. They're not in the position to, you know, overshare information because you want to be really accurate in your messaging to the public. And you don't want to find yourself in a position where you have to correct yourself or retract statements, even though a lot of schools had to do that
to acknowledge breaches later on. Right. But what's really interesting to me is the idea that transparency comes at the end of a full forensic review. And that being so a breach occurred or sorry, they won't a breach coach won't want you to use the word breach until actual PII has been uncovered. You have an incident at first, right? So it's for an event or an encryption event or whatever that the creativity and in the not saying the word ransomware is right, is quite remarkable. All right.
So, okay. So you've got, you've got an event and the breach coach comes in and they hire investigators to look at the extent, you know, open all of the files and track how many social security numbers exist. And I can tell you, it's hard work. We're talking about, you know, data breaches of hundreds of thousands of individual files.
And sometimes you've got Excel spreadsheets with, you know, thousands of social security numbers in the same folder as like some, I don't know, elementary reading assignment. And so you might open a file and it's a coloring book. And then the next file you open, it's like a kid psychiatric evaluation, right? So we are talking about an extensive amount of forensics work.
However, what is at play here is while all of that is going on, while this investigation is going on, it's keep information quiet. You know, we don't we don't want to overstate at all. So we don't say anything. And that creates this void for, like I said, you know, sometimes more than a year that, you know, that investigation has to go on.
And we found all of these Social Security numbers. Well, now we need to determine who lives in what state, because there are all of these different notification laws. And, oh, well, this was, you know, this kind of data. And in this state, that kind of data is covered by the breach notice law. And, oh, what is that person's phone number? What is their current mailing address so that we can mail them a letter?
All of that has to happen before an acknowledgement comes under the strategy that has been used.
Yeah.
So, Mark, you've got a series of articles coming out related to this. The first one's already come out about LAUSD. Can you tell us a little bit more about some of the articles that we expect to see from the 74 and Wired?
So as part of this project, I was filing public records requests with dozens of districts. I was downloading data from ransomware gangs leak sites. I was using a tool called GovSpend to track school district procurement. I ended up coming back with just this remarkable amount of data that's like, this is not just one story. This is going to be a lot of stories. And perhaps what ultimately drove me to the point of insanity was about 300 of them, 321 people.
Over a five-year period between January 1st, 2020, and the end of last year. The idea being, hey, cyber attacks have really surged during the pandemic at a time when kids' reliance on technology was at an all-time high. I started, you know, just kind of thinking, well, this is like a little investigation in Los Angeles in its own right. You know, hey, we've, you know, people have never seen some of these documents before. I'm going to write a story about that just outlines this.
It's just, and these kind of became what are 300 individual little case studies. Los Angeles was, you know, because it was the origin of the story to begin with, it was the first kind of like vignette, mini, mini investigation that we ended up publishing. But over the next month or so, we're going to, we're going to keep pushing them out.
You know, A lot of them contain investigative reveals that didn't make it into the main story, but might be really interesting, revelatory for local people in particular. I'll give you an example of Minneapolis public schools. So that was Minneapolis is an earlier cyber attack that I kind of began to look at and to audit the extent of the breach. And they got a lot of flack early on because they called it an encryption event. And that drove a lot of people in this space a little bit nutty.
Well, anyway, I did a bunch of public records requests there. And what I got was actually the report to the FBI. And it was filed, signed by a lawyer with the law firm Mullen Coughlin, which is one of the most dominant law firms that specialize in the briefs code response. Well, let's just say the details of what happened, according to the reports to the FBI, are quite different than the facts and the sequence of events as spelled out to the public. So I advise you to read that one.
But yeah, over the next few weeks or so, we'll be seeing these miniature kind of vignettes to highlight, hey, here's how this kind of, you know, how these attacks play out at a really local level.
All right. Well, Mark, we appreciate you taking time out of your afternoon to spend with us and tell us about this.
Yeah, thanks for making us feel even worse about the state of energy.
Chris has got a cold. He doesn't feel good. He feels even better now. My fever's back. Yeah. We appreciate your time today, Mark. We look forward to your forthcoming articles. Thanks for your time, Mark. Thank you, Mark.
We might not be the same But you share the same pain that I do
The views and opinions expressed on the K12 Tech Talk podcast are the personal opinions of Josh, Chris, and Mark and do not represent the views or opinions of our sponsors or other organizations that we're affiliated with. The material and information presented here is for general information and entertainment purposes only. Thanks for listening, and we'll see you next week.