Former IT Employee Sentenced for Cyberattacking Iowa School District

Former IT Employee Sentenced for Cyberattacking Iowa School District

June 15, 2026 discoverhiddenusacom Technology

Ezekiel Dean Potter, a former IT specialist for Iowa’s Saydel Community School District, was sentenced to 21 months in prison on June 11 for a 21-month cyberattack. Court documents show Potter deleted educational accounts and disrupted classrooms, resulting in $59,668.81 in restitution for the district and its insurer, Travelers Casualty and Surety Company.

Why do insider threats persist in school districts?

Many organizations struggle with “offboarding,” the process of removing access for departing employees. In this case, Potter worked as a senior IT support specialist from May 2022 through April 2023, but he retained access credentials long after his employment ended.

According to the U.S. government, Potter used these credentials to act as a “plague” on the district. He deleted the school’s Facebook page and stripped staff of access to critical educational platforms. This highlights a common vulnerability: when IT administrators have “god-mode” access, a failure to rotate passwords or revoke tokens can leave a system open for years.

Pro Tip: Implement “Least Privilege Access” (LPA). Users should only have the minimum permissions necessary to perform their jobs. When an admin leaves, a mandatory audit of all shared service accounts and API keys is essential.

How did investigators trace the attacks to Potter?

Potter attempted to mask his identity using a VPN service after Google sent security alerts regarding unauthorized account access. However, federal investigators successfully traced the activity back to IP addresses linked to Potter’s subsequent employers, including The Printer Inc. (TPI) and Casey’s Store Support Center.

The case broke wide open through a physical lead rather than a digital one. Prosecutors say that after Potter left TPI in January 2025, he asked a former coworker to wipe a USB drive from his desk. Instead of deleting the data, the coworker gave the drive to investigators.

Court documents state that the drive contained spreadsheets with usernames and passwords for Saydel School District services. This contrast shows that while attackers use sophisticated tools like VPNs, basic “digital hygiene”—like storing passwords in a plain text file on a USB—often leads to their downfall.

What happens when cyberattacks disrupt classroom operations?

The impact of these attacks went beyond data loss; they stopped actual teaching. According to court filings, Potter targeted the Apple School Manager account, which disabled the management of district MacBooks and iPads for about a week.

In January 2025, Potter accessed the Schoology learning management system via a Google administrator account. He deleted an IT employee’s account, which disrupted teacher access and impacted live classes for two hours. Later, he deleted nine Gmail accounts, including those belonging to the district’s superintendent and IT director.

These actions demonstrate the fragility of the “educational stack.” When one administrator account is compromised, the ripple effect can shut down everything from grading systems to hardware management.

Did you know? The Computer Fraud and Abuse Act (CFAA) is the primary federal statute used to prosecute these crimes. It criminalizes accessing a protected computer without authorization or exceeding authorized access.

What are the legal and financial consequences for computer fraud?

Potter pleaded guilty in January 2026 to charges under the Computer Fraud and Abuse Act. He didn’t enter a plea agreement, which often results in stricter sentencing.

The court imposed a three-pronged penalty:

  • Incarceration: 21 months in federal prison.
  • Financial Restitution: $59,668.81 paid to the district and its insurer to cover remediation costs.
  • Supervised Release: Three years of monitoring, including restrictions on computer use and the possibility of electronic device searches.

This case serves as a precedent for how courts value “remediation costs.” The $59k figure represents the actual cost of hiring outside experts to scrub systems and recover deleted data, rather than just the value of the lost hardware.

Frequently Asked Questions

What is a “remediation cost” in a cyberattack?
It’s the total expense required to fix the damage. This includes forensic audits, restoring backups, resetting all user passwords, and paying security consultants to ensure the attacker is fully evicted from the network.

Frequently Asked Questions

Can an employee be jailed for using old passwords?
Yes. Under the Computer Fraud and Abuse Act, using credentials to access a system after your authorization has ended is considered “unauthorized access,” which is a federal crime.

How can schools prevent former IT staff from attacking systems?
Schools should use Single Sign-On (SSO) providers. When an employee is deactivated in the central directory (like Active Directory or Google Workspace), their access to all linked apps (Schoology, Apple School Manager, etc.) is revoked instantly.

Why did the attacker use a VPN?
A Virtual Private Network (VPN) hides the user’s real IP address by routing traffic through a different server, making it harder for investigators to pinpoint the physical location of the attacker.

Want to learn more about securing your organization’s infrastructure? Read our guide on identity management or visit CISA.gov for official federal security guidelines.

Do you think 21 months is a sufficient sentence for disrupting an entire school district? Let us know in the comments below.