For 21 months, Ezekiel Dean Potter, a former Senior IT Support Specialist, systematically sabotaged the Saydel Community School District's systems after his employment ended in April 2023. This prolonged breach, stemming from retained credentials and neglected security hygiene, serves as a stark case study in the critical importance of robust offboarding procedures and continuous access management, highlighting a significant offboarding security failure. This incident, which led to widespread disruption and substantial financial costs, underscores how easily a disgruntled former employee can exploit overlooked vulnerabilities when basic security protocols are neglected.
The 21-Month Insider Attack: An Offboarding Security Failure
For 21 months, Ezekiel Dean Potter, a former Senior IT Support Specialist, systematically sabotaged the Saydel Community School District's systems after his employment ended in April 2023. This prolonged breach, stemming from retained credentials and neglected security hygiene, serves as a stark case study in the critical importance of robust offboarding procedures and continuous access management.
How a Fired Employee Retained Privileged Access
Potter, 34, worked for the Saydel Community School District in Des Moines, Iowa, from May 2022 to April 2023. Attacks against district systems began shortly after his departure, persisting for nearly two years and causing widespread disruption. This prolonged access points directly to a significant offboarding security failure.
Potter exploited valid logins that should have been revoked immediately upon his termination—a fundamental failure of basic access management. While the initial compromise wasn't a complex zero-day exploit, his subsequent actions, including VPN use and sustained sabotage, demonstrate a persistent and deliberate attack.
His actions demonstrated clear intent and persistence. When Google security alerts began flagging his activity, he shifted to a VPN service, a common tactic to obscure his IP address and complicate tracing. Federal investigators eventually linked this activity to his subsequent employers.
The Attack Chain: A Progression of Unchecked Access
This attack chain offers a textbook illustration of an insider threat compounded by critical access management failures:
-
Initial Access (Retained Credentials): Potter maintained usernames and passwords for various Saydel School District accounts. This initial compromise provided a persistent backdoor due to a lack of immediate deprovisioning, aligning with MITRE ATT&CK T1078 (Valid Accounts), specifically T1078.004 (Cloud Accounts) for Google and Schoology access.
-
Reconnaissance and Escalation (Targeted Systems): Potter's activity was systematic, not random, as he targeted key operational systems, demonstrating MITRE ATT&CK T1087 (Account Discovery) and T1069 (Permission Groups Discovery) to identify high-value targets like Apple School Manager and administrator accounts. This included the deletion of the district's public Facebook page, compromise of the Apple School Manager account (leading to deletion of user accounts, passwords, phone numbers, billing information, and device management server data, disabling management of district MacBooks and iPads for approximately one week), and repeated unauthorized access attempts against the GoDaddy account and other online services.
-
Evasion (VPN Use): Following initial Google security alerts, Potter adopted a VPN to mask his originating IP addresses and impede forensic analysis, a tactic consistent with MITRE ATT&CK T1572 (Protocol Tunneling) or T1090 (Proxy) for Command and Control.
-
Sustained Disruption (Administrator Accounts): In January 2025, nearly two years post-employment, Potter accessed the Schoology learning management system using a Google administrator account. He deleted an IT employee's account, halting classes for two hours. A week later, he compromised another administrator account, deleting nine Gmail accounts, including those of the district's IT director and superintendent. These actions demonstrate MITRE ATT&CK T1485 (Data Destruction) and T1531 (Account Access Removal), directly impacting availability and integrity.
Investigators traced the activity to IP addresses associated with his later employers: Casey’s Store Support Center and The Printer Inc. Further evidence emerged when a USB drive, recovered from his desk after he left The Printer Inc. in January 2025, contained spreadsheets listing usernames and passwords for hundreds of Saydel School District accounts. This provided undeniable evidence of his unauthorized access, stemming directly from the initial offboarding security failure.
The Real-World Impact: Beyond Technical Disruptions
The consequences for the Saydel Community School District, which serves approximately 1,400 students, extended beyond technical issues. This incident directly impaired their operational capacity, a direct result of the offboarding security failure.
-
Disrupted Education: Classes were halted, teachers lost access to Schoology, and students' learning was interrupted. This directly impacted the district's core educational mission.
-
Operational Disruption: Deleting administrator accounts, disabling device management, and wiping the Facebook page created widespread operational challenges for staff and administrators.
-
Financial Cost: The district and its insurer, Travelers Casualty and Surety Company, incurred nearly $60,000 in remediation costs. These funds were diverted from educational resources to address a preventable security failure.
-
Trust Erosion: No personal data exposure was confirmed; however, the prolonged nature and scope of the attack diminished community trust in the district's ability to secure its systems.
The incident clearly resulted in availability and data integrity breaches, directly impacting operations and corrupting critical data.
What Needs to Change: Beyond the Prison Sentence
Potter pleaded guilty in January 2026 and was sentenced on June 11, 2026, to 21 months in federal prison, three years of supervised release, and ordered to pay $59,668.81 in restitution. With the legal process concluded, it's imperative to examine the underlying security vulnerabilities that led to this profound offboarding security failure.
Potter's ability to retain access for 21 months underscores a fundamental failure in immediate deprovisioning. Had Saydel implemented a rigorous offboarding protocol, disabling all accounts and revoking access the moment his employment ended, the entire incident could have been averted. This isn't just about disabling an email account; it involves a comprehensive checklist to revoke access from all systems, applications, and physical premises, ensuring no digital or physical backdoors remain open. A robust offboarding security failure prevention strategy starts here.
Even if credentials were retained, Multi-Factor Authentication (MFA) across all district systems would have significantly hampered Potter. His attempts to log in from new locations, especially after Google alerts, would have been blocked without a second factor, effectively neutralizing his stolen credentials. As CISA's 2022 guidance emphasizes, phishing-resistant MFA is the strongest defense against credential reuse. Implementing MFA across all critical systems, especially for administrative accounts, creates an essential layer of defense that makes credential compromise far less effective. CISA's guidance on MFA
The compromise of administrator accounts, particularly for Google and Schoology, highlights the urgent need for Privileged Access Management (PAM). A PAM solution would have ensured Potter, even if he had retained some access, could not have directly accessed these critical accounts without just-in-time approval and continuous monitoring, flagging his activity immediately. PAM systems enforce the principle of least privilege, granting elevated access only when necessary and for a limited duration, drastically reducing the attack surface for insider threats.
The prolonged 21-month attack duration points to a severe lack of Security Information and Event Management (SIEM). A properly configured SIEM would have correlated Potter's repeated access attempts, VPN usage, account deletions, and device management changes, generating high-priority alerts long before the incident escalated to widespread disruption. SIEM solutions aggregate logs from various systems, providing a centralized view of security events and enabling proactive threat detection, which is crucial for identifying an ongoing offboarding security failure.
Beyond initial offboarding, regular Identity Governance and Administration (IGA) audits are crucial. These platforms automate the review of permissions, identifying dormant or excessive privileges that could be exploited, preventing 'privilege creep' and ensuring that even overlooked accounts are eventually de-provisioned. IGA ensures that user access rights align with their current roles and responsibilities, closing potential gaps that could lead to an offboarding security failure.
The Saydel incident highlights a critical lesson: even advanced security tools fail without basic process adherence. The incident revealed a breakdown in foundational access management, rather than a failure of advanced technology. An organization can deploy every firewall available, but if the administrative back door remains open for two years, compromise becomes highly likely.
This case serves as a stark reminder that cybersecurity is not just about technology; it's fundamentally about people, processes, and continuous vigilance. Proactive measures, rather than reactive responses, are the only way to truly safeguard sensitive systems and data from similar offboarding security failure scenarios. Learning from Saydel's experience means prioritizing comprehensive offboarding, implementing strong access controls, and maintaining constant oversight to prevent future insider threats.
