The Silent Crisis: How Breach Coaches Control the Narrative in School Cyberattacks

When cyberattacks happen, how transparent should schools be about the breach?

In a recent K-12 TechTalk podcast, "Unveiling the Shadow World of Breach Coaches," the host interviewed Mark Keierleber of The Story Behind the Story: How I Investigated More Than 300 Cyberattacks. The conversation sheds light on the challenges districts and institutions face when a breach is handed over to a breach coach. Spending over a year learning everything he could about K-12 cyberattacks, what he uncovered is horrifying.

Here is an excerpt from the article:
“The hollowness in schools’ messaging and the mechanisms that leave school communities clueless are no coincidence. Staring down a cyberattack and the prospect of being sued over the leak of sensitive information, school leaders turn to insurance companies, consultants, and privacy lawyers to steer ‘privileged investigations,’ which keep key details hidden from the public. Often contacted before the police, the paid consultants who arrive in the wake of a cyberattack are portrayed to the public as an encouraging sign, trained to handle the bad actors and restore learning. But what isn’t as apparent to students, parents, and district employees is that these individuals are not there to protect them—but to protect schools from them.”

The podcast led me to reflect on the broader issues we’re seeing across K-12 institutions, including the recent PowerSchool breach—an event that has sparked a lot of conversation and frustration within the education community. If you haven’t followed the PowerSchool breach (which I highly doubt!), it happened when cybercriminals accessed a customer support portal and extracted sensitive data from the PowerSchool database. This breach exposed personal information of millions of students, teachers, and families. PowerSchool responded quickly with an informative webinar and was incredibly transparent in their communication. But after that, things went quiet. We can only assume that breach coaches and legal teams are now controlling the narrative that a former employee’s credentials were left active, and the support portal was not using multi-factor authentication (MFA). Yikes.

The silence from schools and organizations involved is also troubling. This silence creates a dangerous disconnect, leaving students, families, and staff in the dark about the true extent of the breach. The absence of clear, open communication not only erodes trust but also leaves communities vulnerable to further harm—whether that’s identity theft, privacy violations, or the long-term impact of compromised data.

Both the podcast and the article are well worth a read—Mark has published other pieces, and based on his interview, it’s clear he’s uncovered a wealth of information that will fuel many more articles in the future.

This breach is just one example of the growing threat landscape in education. As cyber threats evolve, schools must adopt robust security frameworks and invest in training staff to recognize and mitigate risks. Data security is not just about reacting after a breach—it’s about prevention. For schools looking to strengthen their data security, now is the time to review your MFA protocols, complete a data map exercise, and investigate the breach protocols required by your insurance company. Don't wait for a crisis—let's proactively protect the future of our schools. If you need guidance or an audit to assess your current data landscape, I’m here to help.