Ex-IT Worker Gets 21 Months for 21-Month Cyberattack on Iowa School
Key Takeaways
- Potter retained access credentials after leaving his job and used them to attack systems for 21 months
- The attacks disabled Apple device management, deleted Gmail accounts, and disrupted classroom platforms
- Potter must pay $60,000 in restitution and was caught partly because a former coworker turned over evidence
A 21-Month Campaign of Digital Sabotage
Ezekiel Dean Potter, 34, worked as a senior IT support specialist for the Saydel Community School District in Des Moines from May 2022 through April 2023. When his employment ended, he kept his access credentials. Then he spent the next 21 months using them to attack the district that had employed him.
A federal court sentenced Potter to 21 months in prison on June 13, 2026. He must also pay approximately $60,000 in restitution to the school district and its insurer.
“For over a year and a half, Defendant was a plague on the Saydel Community School District. He deleted SCSD's Facebook page, stripped its employees of access to educational platforms and accounts, and tried again and again to reset its employees' usernames and passwords for various other platforms and accounts.”
— U.S. Government sentencing memorandum
How the Attacks Unfolded
The sabotage started shortly after Potter left the district. First, the school's Facebook page disappeared. Then Potter targeted the district's Apple School Manager account, deleting user accounts, passwords, phone numbers, billing information, and device management server data.
This attack had immediate classroom consequences. School employees could not access the Apple School Manager platform. District MacBooks and iPads lost remote management capabilities for roughly a week while staff worked with Apple to recover access.
The district also faced unauthorized access attempts against its GoDaddy account and other online services.
Attacks Escalated in 2025
In January 2025, Potter accessed the district's Schoology learning management system through a Google administrator account. He deleted an IT employee's account. Teachers lost access to the platform, and classes were disrupted for approximately two hours.
A week later, Potter accessed another administrator account and deleted nine Gmail accounts. These belonged to current and former district employees, including the IT director and superintendent.
After receiving Google security alerts about unauthorized access, Potter switched to using a VPN service to mask his location. But federal investigators traced some of his activity to IP addresses associated with his subsequent employers: Casey's Store Support Center and The Printer Inc. (TPI).
A Former Coworker Helped Build the Case
After Potter left TPI in January 2025, he asked a former coworker to retrieve a USB drive from his desk and wipe it. The coworker did retrieve it. But instead of wiping it, they turned the drive over to investigators.
Court documents indicate Potter had gathered more than 300 unauthorized user account credentials following his termination. He stored these to facilitate his ongoing attacks against the school district.
What Went Wrong With Offboarding
Discussion in IT security communities has focused on the offboarding failures that made this attack possible. When Potter left the district, his administrative credentials remained active. This gave him ongoing access to systems he should have been locked out of on his last day.
Standard security practice calls for revoking all administrative privileges immediately upon employee termination. Passwords and credentials should be rotated. Log auditing should flag unexpected access patterns, especially from former employees.
None of these safeguards caught Potter for 21 months.
- Revoke all access credentials the day employment ends
- Rotate shared passwords and admin credentials after any IT staff departure
- Audit logs for access from unexpected IP addresses or at unusual times
- Implement alerts for administrative actions like mass account deletions
- Review which accounts have administrator privileges quarterly
The Broader Problem of Insider Threats
Potter's case illustrates a persistent vulnerability in organizations of all sizes. IT staff, by definition, have elevated access to critical systems. When they leave under any circumstances, they represent a potential insider threat if access is not properly terminated.
School districts face particular challenges. They often operate with limited IT budgets and staff. Security practices that are standard at large corporations may not be in place. A single IT specialist may have broad access across multiple platforms with no one monitoring their activity.
The Saydel case also shows how attacks on educational systems directly harm students. When Schoology went down, teachers could not run their classes. When device management failed, iPads and MacBooks became unmanageable for a week. These are not abstract business impacts. They are disruptions to children's education.
Logicity's Take
Frequently Asked Questions
What did Ezekiel Dean Potter do to the school district?
Potter used retained access credentials to delete Facebook pages, disable Apple device management, delete Gmail accounts for staff including the superintendent, and disrupt classroom learning platforms over a 21-month period after his employment ended.
How much did the cyberattack cost the school district?
The attacks caused approximately $60,000 in damages and remediation costs. Potter was ordered to pay this amount in restitution.
How was Potter caught?
Investigators traced activity to IP addresses at Potter's subsequent employers. A former coworker also turned over a USB drive Potter had asked them to wipe, which contained evidence including more than 300 unauthorized credentials.
How can organizations prevent insider cyberattacks?
Key steps include immediately revoking all access credentials when employees leave, rotating shared passwords after IT staff departures, implementing log auditing to detect unusual access patterns, and regularly reviewing who has administrator privileges.
What sentence did Potter receive?
Potter was sentenced to 21 months in federal prison and ordered to pay approximately $60,000 in restitution to the school district and its insurer.
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
Executor: A Free Windows Launcher That Replaces the Start Menu
The Windows Start menu is slow and cluttered. Executor, a free keyboard-driven launcher, lets you open apps, folders, and run web searches with custom shortcuts. It cuts the gap between thinking and doing to almost nothing.
Rogue Trader Patch 1.6 Buffs Weakest Classes Alongside New Expansion
Owlcat Games released a major balance patch for Warhammer 40K: Rogue Trader alongside The Infinite Museion expansion. The update significantly buffs Operatives, Assassins, and the Chaos Marine companion Uralon the Cruel, addressing long-standing community complaints about class viability.
Why Link Aggregation Won't Double Your Internet Speed
Link aggregation is showing up on more consumer routers, marketed as a way to combine two network connections into one. But the feature doesn't work the way most people expect. It increases bandwidth for multiple simultaneous users, not the speed of any single download or stream.