Ex-school district employee jailed for hacks on former employer

Ex-School District IT Employee Jailed for Hacks on Former Employer

OverviewA former IT employee of an Iowa school district was sentenced to 21 months in prison for conducting a sustained cyberattack against the district after his departure. The actions disrupted classroom operations, led to the deletion of user accounts, and generated tens of thousands of dollars in remediation costs. The case illustrates how access can be misused long after employment ends and how investigators trace activity across multiple systems and services.

BackgroundThe individual at the center of the case was Ezekiel Dean Potter, age 34. He previously held the role of senior IT support specialist for the Saydel Community School District in Des Moines, serving from May 2022 until April 2023. Following his departure, prosecutors contend that Potter retained access credentials and continued to target the district’s technology infrastructure over a period spanning more than a year and a half.

Prolonged Cyberattack and TacticsThe district described Potter’s conduct as a prolonged disruption that began after his exit and persisted for an extended period. Key facets of the activity included:

• Deletion and denial of access: The district’s social media presence, in particular its Facebook page, was deleted, and staff were systematically deprived of access to educational platforms and accounts.
• Password and login manipulation: Potter repeatedly attempted to reset usernames and passwords for various district systems, effectively locking out employees from critical tools.
• Targeting core administrative and educational platforms: The attacks extended to Apple School Manager, Google administrator accounts, Schoology, and Gmail accounts used by current and former district staff.
• Disruption of device management: By compromising Apple School Manager data, the district’s ability to manage district-owned MacBooks and iPads was hampered for roughly a week as Apple assisted in restoring access.
• External service compromises: Attempts were observed against the district’s GoDaddy account and other online services.
• VPN usage and security alerts: After receiving Google security alerts about unauthorized access, Potter reportedly shifted to using a VPN service to conceal activity.
• Traces to other employers: Federal investigators traced some of the activity to IP addresses associated with Potter’s prior employers, including Casey’s Store Support Center and The Printer Inc. (TPI).
• Evidence collection: Investigators recovered a USB drive from Potter’s desk, after a coworker retrieved it at his request. The drive allegedly contained spreadsheets listing usernames and passwords for Saydel School District accounts and services.

Timeline of Key Events

• May 2023: Potter’s formal employment with the Saydel Community School District ends. Shortly thereafter, the district’s Facebook page is deleted, marking the onset of the activity.
• January 2025: Potter is alleged to have accessed the district’s Schoology learning management system through a Google administrator account and deleted an IT employee’s account, disrupting teacher access to the platform for about two hours.
• January 2025 (a week later): Potter allegedly gains access through another administrator account and deletes nine Gmail accounts belonging to current and former district staff, including the district’s IT director and superintendent.
• January 2025 onward: A shift to VPN usage is reported after Google security warnings appear.
• June 11, 2026: Potter is sentenced to 21 months in federal prison, with an additional three years of supervised release. The sentence concludes a prosecution under the Computer Fraud and Abuse Act (CFAA), with Potter pleading guilty in January 2026.

Investigation and EvidenceThe investigation linked several incidents to Potter through a combination of digital breadcrumbs and physical evidence. Key elements included:

• Correlation of activity with Potter’s prior employment history and known access points, including IP addresses tied to his former workplaces.
• Traces of compromised credentials and access patterns across multiple services used by Saydel, including social media, learning platforms, and email systems.
• Forensic examination of a USB drive found on Potter’s desk, which reportedly contained spreadsheets listing usernames and passwords for Saydel District accounts and services.
• Cross-referencing activity with security alerts and logs from Google, Apple, and other service providers, which aided in constructing a timeline and identifying targets.

Legal Proceedings and SentencingPotter pleaded guilty in January 2026 to computer fraud charges under the Computer Fraud and Abuse Act. The plea did not involve a broader plea agreement. On June 11, 2026, the court imposed a sentence of 21 months in prison, followed by three years of supervised release. Conditions of the supervised release include restrictions and monitoring related to employment, finances, and computer systems, with authority for searches of electronic devices if there is reasonable suspicion.

Restitution and Supervised Release ConditionsAs part of the sentence, Potter is required to repay the Saydel Community School District and its insurer, Travelers Casualty and Surety Company, a total of $59,668.81 to cover remediation costs associated with the attacks. The structured supervised release plan imposes ongoing obligations designed to prevent further unlawful access to systems and to oversee Potter’s employment and financial activities, including potential monitoring of computer use and related technologies.

Impact on Saydel Community School DistrictThe attacks caused tangible, system-wide disruption that affected both administration and classroom operations. Immediate consequences included the loss of access to key platforms and services, which impeded teachers, administrators, and support staff in their daily duties. The district incurred significant remediation costs while restoring services and ensuring secure access for employees and students. The incident also highlighted the vulnerability that can arise when former employees retain credentials or access rights, underscoring the importance of rigorous offboarding processes and ongoing monitoring of privileged accounts.

Aftermath and ContextThe case serves as a high-profile reminder of how quickly a former employee can transition from a passive ex-employee to an active disruptor when access remains active. It underscores several practical realities:

• The critical need for immediate revocation of all credentials upon employment separation.
• The importance of multi-factor authentication and robust identity management to minimize the risk of credential reuse.
• The reality that remediation can be lengthy and costly, affecting students, teachers, and district operations.
• The role of investigative collaboration among federal authorities, previous employers, and service providers in tracing and validating unauthorized activity across diverse digital environments.

ConclusionThe Saydel Community School District cyberattack perpetrated by a former IT employee culminated in a federal conviction and a 21-month prison sentence, followed by three years of supervised release. Restitution ordered to offset remediation costs reflects the tangible financial impact of such intrusions. The case illustrates the long tail of risk that can persist after an employee leaves an organization and the ongoing need for vigilant credential management, continuous monitoring, and rapid incident response to protect critical educational infrastructure.