Cybersecurity & Privacy

When IT Turns Rogue: Lessons From a School District’s Insider Cyberattack

By Mag-Info Tech editorial · 2026-06-14

A former senior IT support specialist at an Iowa school district was sentenced to 21 months in prison after waging a sustained cyberattack against his former employer that disrupted classroom operations, deleted user accounts, and inflicted tens of thousands of dollars in damages. The 21-month campaign began almost immediately after his employment ended in April 2023 and continued through January 2025, demonstrating how quickly privileged access can be weaponized when offboarding is delayed or incomplete.

How a trusted insider became a persistent threat

Ezekiel Dean Potter worked as a senior IT support specialist for the Saydel Community School District from May 2022 until April 2023. Court records show he retained access credentials after his departure and then repeatedly targeted district systems over the following 21 months. The first visible strike came shortly after he left employment: the district’s public Facebook page was deleted, a move that immediately disrupted community communication. From there, the attacks escalated in scope and impact, illustrating how a single insider with lingering privileges can inflict damage across multiple platforms.

Prosecutors described the campaign as continuous harassment, noting that Potter repeatedly attempted to reset usernames and passwords for educational platforms and employee accounts. Each reset attempt created additional disruption, forcing staff to spend time recovering access rather than serving students. The sustained nature of the attacks—spanning more than a year and a half—also highlights how insider threats can evolve from isolated incidents into protracted campaigns when organizations fail to revoke access promptly.

Disabling core educational infrastructure

One of the most damaging incidents occurred when Potter targeted the district’s Apple School Manager account. He deleted user accounts, passwords, phone numbers, billing information, and device management server data, effectively locking school employees out of the platform. For roughly a week, staff had to work with Apple to restore access while teachers could not manage district-issued MacBooks and iPads. This disruption directly impaired the district’s ability to deliver instruction and manage classroom technology, showing how a single compromised account can cascade into broader operational failure.

The attack also extended to unauthorized access attempts against the district’s GoDaddy account and other online services, indicating Potter probed multiple entry points. Such multi-vector probing is common in insider attacks, as threat actors test weak links in an organization’s security perimeter. The fact that these attempts were made after Potter’s employment ended underscores the need for continuous monitoring of privileged accounts even after personnel changes.

Sabotage in the learning management system

In January 2025, prosecutors allege Potter accessed the district’s Schoology learning management system through a Google administrator account and deleted an IT employee’s account. This action disrupted teacher access to Schoology for approximately two hours, affecting classes and forcing staff to scramble for recovery. The timing—nearly two years after his departure—demonstrates that insider threats are not always impulsive but can be methodically planned and executed over long periods.

A week later, prosecutors say Potter accessed another administrator account and deleted nine Gmail accounts belonging to current and former district employees, including the district’s IT director. This deletion of key personnel accounts not only caused immediate operational disruption but also created a longer-term recovery burden, as backups had to be restored and new accounts provisioned. The targeting of leadership accounts signals an intent to maximize disruption and send a message, a pattern seen in other insider sabotage cases.

Quantifying the fallout: cost and classroom impact

Prosecutors described the total damage as “tens of thousands of dollars” in remediation costs, including time spent by staff to restore systems, coordinate with third-party vendors like Apple, and recover deleted data. While the exact financial figure is not specified in public records, the scope of the incidents—spanning social media, device management, email, and learning platforms—suggests a multi-layered recovery effort that likely required both internal resources and external support. For a school district with limited IT budgets, such unplanned expenditures can strain already tight finances.

Beyond direct costs, the attacks disrupted classroom operations on multiple occasions, including a two-hour disruption in Schoology access and a week-long block on Apple School Manager device management. These incidents translate directly into lost instructional time, frustrated teachers, and potential learning gaps for students. In education, where continuity of service is critical, even brief outages can have disproportionate consequences, reinforcing the need for robust access controls and rapid incident response.

Why offboarding must be immediate and comprehensive

The Saydel case illustrates the dangers of delayed or incomplete offboarding. Potter retained access credentials for more than a year after his employment ended, a gap that created a persistent attack surface. Organizations must treat employee departures as security events that require immediate revocation of all system access, including email, cloud platforms, social media, device management consoles, and administrative portals. Automated identity and access management (IAM) systems can help enforce consistent offboarding policies across on-premises and cloud environments.

Trading isn't a casino. Stop gambling.

Real results from MEFAI's AI. Get $50 off the Pro plan.

Claim $50 off Pro →

Sponsored · Past performance is not indicative of future results. Not financial advice.

Privileged accounts—especially those tied to IT administrators—should be prioritized for prompt deactivation. In this case, Potter’s role as a senior IT support specialist gave him elevated access across multiple systems, making his lingering credentials particularly dangerous. Regular audits of privileged accounts and automated deprovisioning workflows can reduce the window of opportunity for insider misuse. Schools and other public-sector organizations, which often have limited IT staff, should consider third-party identity governance tools to ensure no account remains active after an employee leaves.

The role of monitoring and behavioral analytics

The prolonged nature of the attacks also highlights the importance of continuous monitoring for anomalous behavior, even after an employee has left. While Potter’s actions were eventually detected and attributed, the campaign spanned 21 months, suggesting that early indicators may have been missed. Behavioral analytics tools that flag unusual login patterns, mass deletions, or administrative changes can provide early warnings of insider threats. Schools and small organizations may not have dedicated security operations centers, but even basic logging and alerting on privileged accounts can make a significant difference.

In this case, the attacks escalated from a deleted Facebook page to the deletion of core educational accounts, indicating a pattern of escalating behavior. Behavioral monitoring systems could have detected the initial unauthorized access and triggered an investigation before the damage spread. For resource-constrained institutions, starting with monitoring on high-value systems—such as learning management platforms, device management consoles, and email administrators—can provide the most protection per unit of effort.

Legal consequences and deterrence

The 21-month prison sentence sends a clear message about the legal consequences of insider cyber sabotage. Prosecutors framed the case as a sustained campaign of harassment and destruction, and the court’s response reflects the severity of disrupting public services. The ruling may serve as a deterrent to other disgruntled employees considering similar actions, but it also underscores the need for organizations to take preventive measures. Legal recourse is important, but it cannot undo operational damage or restore lost instructional time.

Organizations should also review their acceptable use and security policies to ensure they explicitly prohibit insider sabotage and outline consequences. Clear communication of these policies during onboarding and offboarding can reinforce expectations and deter misuse. In education, where community trust is vital, such incidents can erode confidence in the district’s ability to protect student data and maintain reliable services.

Practical steps for schools and small organizations

School districts and small organizations should implement a checklist for offboarding that includes immediate revocation of all system access, password resets for shared accounts, and removal from administrative groups. Automated workflows in identity platforms can reduce human error and ensure consistency. Regular audits of privileged accounts—at least quarterly—can identify lingering access that should have been revoked.

Limiting the scope of privileged access is equally important. Not every IT support specialist needs domain administrator rights across all systems. Role-based access control (RBAC) can restrict users to the minimum permissions required for their roles, reducing the potential blast radius of an insider attack. Schools should also consider implementing multi-factor authentication (MFA) on all administrative accounts and critical systems, making it harder for former employees to regain access even if credentials are still active.

What to watch next: emerging insider threat trends

The Saydel case reflects a broader trend in which disgruntled or departing employees weaponize retained access to cause harm. As more organizations migrate to cloud platforms and unified device management systems, the attack surface for insider threats expands. Schools using platforms like Apple School Manager, Google Workspace for Education, and learning management systems are particularly exposed, because a single compromised administrator account can disrupt multiple services.

Moving forward, expect regulators and insurers to place greater emphasis on insider threat controls in education and public-sector contracts. Audits may increasingly focus on offboarding procedures, privileged access reviews, and monitoring capabilities. Organizations that cannot demonstrate robust controls may face higher premiums or compliance penalties. For schools, this means documenting offboarding processes and maintaining logs of access revocations to prove due diligence.

Conclusion

The case of the former Iowa school district IT specialist serves as a cautionary tale about the risks of delayed offboarding and unchecked privileged access. A 21-month campaign of sabotage disrupted classrooms, erased accounts, and incurred significant remediation costs, all stemming from retained credentials after employment ended. The outcome—21 months in prison—reinforces the legal stakes, but the real lesson is preventive: treat every departure as a security event, automate access revocation, monitor privileged accounts continuously, and limit permissions to what is strictly necessary. Schools and small organizations that implement these controls can avoid becoming the next cautionary headline.