Ex-IT Worker Gets 21 Months for 21-Month Cyberattack on Iowa School

Key Takeaways

• Potter retained access credentials after leaving his job and used them to attack systems for 21 months
• The attacks disabled Apple device management, deleted Gmail accounts, and disrupted classroom platforms
• Potter must pay $60,000 in restitution and was caught partly because a former coworker turned over evidence

A 21-Month Campaign of Digital Sabotage

Ezekiel Dean Potter, 34, worked as a senior IT support specialist for the Saydel Community School District in Des Moines from May 2022 through April 2023. When his employment ended, he kept his access credentials. Then he spent the next 21 months using them to attack the district that had employed him.

A federal court sentenced Potter to 21 months in prison on June 13, 2026. He must also pay approximately $60,000 in restitution to the school district and its insurer.

“For over a year and a half, Defendant was a plague on the Saydel Community School District. He deleted SCSD's Facebook page, stripped its employees of access to educational platforms and accounts, and tried again and again to reset its employees' usernames and passwords for various other platforms and accounts.”

— U.S. Government sentencing memorandum

How the Attacks Unfolded

The sabotage started shortly after Potter left the district. First, the school's Facebook page disappeared. Then Potter targeted the district's Apple School Manager account, deleting user accounts, passwords, phone numbers, billing information, and device management server data.

This attack had immediate classroom consequences. School employees could not access the Apple School Manager platform. District MacBooks and iPads lost remote management capabilities for roughly a week while staff worked with Apple to recover access.

The district also faced unauthorized access attempts against its GoDaddy account and other online services.

Attacks Escalated in 2025

In January 2025, Potter accessed the district's Schoology learning management system through a Google administrator account. He deleted an IT employee's account. Teachers lost access to the platform, and classes were disrupted for approximately two hours.

A week later, Potter accessed another administrator account and deleted nine Gmail accounts. These belonged to current and former district employees, including the IT director and superintendent.

After receiving Google security alerts about unauthorized access, Potter switched to using a VPN service to mask his location. But federal investigators traced some of his activity to IP addresses associated with his subsequent employers: Casey's Store Support Center and The Printer Inc. (TPI).

A Former Coworker Helped Build the Case

After Potter left TPI in January 2025, he asked a former coworker to retrieve a USB drive from his desk and wipe it. The coworker did retrieve it. But instead of wiping it, they turned the drive over to investigators.

Court documents indicate Potter had gathered more than 300 unauthorized user account credentials following his termination. He stored these to facilitate his ongoing attacks against the school district.

What Went Wrong With Offboarding

Discussion in IT security communities has focused on the offboarding failures that made this attack possible. When Potter left the district, his administrative credentials remained active. This gave him ongoing access to systems he should have been locked out of on his last day.

Standard security practice calls for revoking all administrative privileges immediately upon employee termination. Passwords and credentials should be rotated. Log auditing should flag unexpected access patterns, especially from former employees.

None of these safeguards caught Potter for 21 months.

• Revoke all access credentials the day employment ends
• Rotate shared passwords and admin credentials after any IT staff departure
• Audit logs for access from unexpected IP addresses or at unusual times
• Implement alerts for administrative actions like mass account deletions
• Review which accounts have administrator privileges quarterly

The Broader Problem of Insider Threats

Potter's case illustrates a persistent vulnerability in organizations of all sizes. IT staff, by definition, have elevated access to critical systems. When they leave under any circumstances, they represent a potential insider threat if access is not properly terminated.

School districts face particular challenges. They often operate with limited IT budgets and staff. Security practices that are standard at large corporations may not be in place. A single IT specialist may have broad access across multiple platforms with no one monitoring their activity.

The Saydel case also shows how attacks on educational systems directly harm students. When Schoology went down, teachers could not run their classes. When device management failed, iPads and MacBooks became unmanageable for a week. These are not abstract business impacts. They are disruptions to children's education.

Frequently Asked Questions

What did Ezekiel Dean Potter do to the school district?

Potter used retained access credentials to delete Facebook pages, disable Apple device management, delete Gmail accounts for staff including the superintendent, and disrupt classroom learning platforms over a 21-month period after his employment ended.

How much did the cyberattack cost the school district?

The attacks caused approximately $60,000 in damages and remediation costs. Potter was ordered to pay this amount in restitution.

How was Potter caught?

Investigators traced activity to IP addresses at Potter's subsequent employers. A former coworker also turned over a USB drive Potter had asked them to wipe, which contained evidence including more than 300 unauthorized credentials.

How can organizations prevent insider cyberattacks?

Key steps include immediately revoking all access credentials when employees leave, rotating shared passwords after IT staff departures, implementing log auditing to detect unusual access patterns, and regularly reviewing who has administrator privileges.

What sentence did Potter receive?

Potter was sentenced to 21 months in federal prison and ordered to pay approximately $60,000 in restitution to the school district and its insurer.

Source: BleepingComputer