BleepingComputer reported that former Saydel Community School District senior IT support specialist Ezekiel Dean Potter was sentenced to 21 months in prison.
Prosecutors said Potter retained access credentials after leaving the Iowa school district and repeatedly targeted district systems over the next 21 months.
The attacks disrupted classroom operations, deleted accounts, impaired access to education platforms, and caused tens of thousands of dollars in remediation costs.
Potter deleted the district’s Facebook page and later targeted Apple School Manager, deleting user accounts, passwords, phone numbers, billing information, and device management server data.
The Apple School Manager disruption prevented staff from accessing the platform and disabled management of district MacBooks and iPads for roughly a week.
Potter accessed the Schoology learning management system through a Google administrator account and deleted an IT employee’s account, disrupting teacher access and impacting classes for about two hours.
Prosecutors said he later used another administrator account to delete nine Gmail accounts belonging to current and former district employees, including the IT director and superintendent.
Investigators recovered spreadsheets containing usernames and passwords for Saydel School District accounts and services from a USB drive turned over by a former coworker.
Potter was ordered to pay $59,668.81 in restitution to the school district and its insurer.
A former Iowa school district IT employee has been sentenced to prison. Prosecutors said he retained access credentials and used them to carry out a prolonged school district cyberattack against his former employer over nearly two years.
According to court records, the school district cyberattack disrupted critical educational and administrative services. The affected systems included identity accounts, learning platforms, and device-management platforms.
The case highlights a persistent enterprise security challenge. Former employees who retain privileged access can create significant operational and financial consequences long after they leave an organization.
For IT and security leaders, the school district cyberattack serves as a reminder that effective offboarding extends beyond disabling a user account. Credential revocation, privileged-access reviews, and continuous monitoring remain critical security controls.
The reported activity was an example of identity and privileged-access abuse rather than a malware-driven attack. Prosecutors said the former employee retained access credentials after leaving the organization and used them to access multiple administrative systems over an extended period.
The affected services reportedly included:
Facebook administration
Apple School Manager
GoDaddy
Google administrator accounts
Gmail accounts
Schoology
The school district cyberattack targeted administrative functions across these platforms, allowing the former employee to delete accounts, modify access, and disrupt day-to-day operations. Rather than exploiting software vulnerabilities, the activity relied on access that should have been revoked during the offboarding process.
The reported Apple School Manager disruption is particularly notable because the platform serves as a central administrative layer for Apple devices in education environments. Prosecutors said the former employee deleted user accounts, passwords, phone numbers, billing information, and device-management server data. As a result, staff lost access to the platform, and device-management operations remained disrupted for approximately one week.
The case illustrates how a compromised or improperly managed administrative account can create organization-wide consequences. When privileged identities maintain access to cloud services, learning platforms, and device-management infrastructure, a single account can become a gateway to widespread operational disruption.
Featured Resource
Hexnode UEM for Education
Get started with Hexnode’s device management solution for the education industry
How Hexnode Can Strengthen Offboarding and Access Control
Incidents like this highlight the importance of combining endpoint management, access governance, and security monitoring to reduce the risk of insider or post-employment misuse.
With Hexnode UEM, IT teams can maintain visibility into managed devices, enforce security policies, execute remote actions such as device lock and wipe, and monitor device compliance across supported endpoints, including macOS and iPadOS devices. These capabilities help organizations maintain control over corporate assets when employees leave or administrative responsibilities change.
From a security operations perspective, Hexnode XDR provides centralized visibility for threat detection, investigation, and response. By correlating security signals across managed endpoints and consolidating alerts into a single platform, security teams can identify suspicious activity more efficiently and accelerate incident response workflows.
In scenarios involving former employees or privileged-user abuse, organizations should focus on:
Immediate revocation of administrative access during offboarding
Regular reviews of privileged accounts and role assignments
Continuous monitoring for unusual administrative activity
Rapid investigation of unauthorized account modifications or deletions
Maintaining visibility across both endpoint and security telemetry
While no single control can eliminate insider risk, combining strong offboarding processes with endpoint management and security monitoring can significantly reduce the likelihood and impact of credential-based abuse.
The Ultimate Guide to XDR (Extended Detection and Response)
XDR unifies security data to detect threats faster and automate response from a single platform.
Conclusion
The Saydel case underscores a security reality that extends far beyond the education sector. Identity offboarding, privileged-access governance, and administrative oversight are foundational security controls.
The incident shows how retained credentials and unmanaged administrative access can create long-term operational risk. That risk can persist even after an employee leaves the organization. When privileged accounts remain active or go unmonitored, a single identity can disrupt critical services, delete data, and impair management capabilities across multiple platforms.
For IT and security leaders, the takeaway is clear. Access revocation must be immediate, verifiable, and consistently enforced across all systems. Regular privileged-access reviews can help identify unnecessary permissions. Credential rotation, audit logging, and continuous monitoring can further reduce the risk of unauthorized access.
Organizations should assume that administrative credentials may persist beyond employment. To reduce that risk, offboarding processes should be automated, audited, and continuously monitored. The longer privileged access remains unchecked, the greater the potential operational and security impact.
Try Hexnode Free for 14 Days
Stay ahead of emerging cyber threats with expert insights on endpoint security, identity protection, and IT operations.
I’m a technical content writer at Hexnode who loves simplifying tech. I break down complex ideas, remove the fluff, and help readers clearly understand our product for what it actually is: simple, reliable, and built to solve real problems.
