Emerging ThreatsMalware & Ransomware

Former IT Employee Sabotages School District with Prolonged Cyberattack

Analyst 207||Source: BleepingComputer
Damaged IT equipment and exposed cables in a school district's network closet.

"For over a year and a half, Defendant was a plague on the Saydel Community School District," the U.S. government wrote in a sentencing memorandum.

Ezekiel Dean Potter’s campaign against Saydel Community School District

According to court documents, Ezekiel Dean Potter, 34, worked as a senior IT support specialist for the Saydel Community School District in Des Moines from May 2022 through April 2023. Prosecutors say that after his employment ended Potter retained access credentials and repeatedly targeted the district’s systems over the next 21 months. The attacks began shortly after Potter left the district with the deletion of Saydel's Facebook account, and continued through repeated intrusions into services supporting classrooms and device management.

Targets and tactics: Facebook, Apple School Manager, Schoology, Gmail

Prosecutors describe a sequence of disruptive actions. Potter is accused of deleting the district’s Facebook page, then later accessing the district's Apple School Manager account and deleting user accounts, passwords, phone numbers, billing information, and device management server data. That removal of device-management data disabled the district’s management of MacBooks and iPads and prevented employees from accessing the Apple School Manager platform while staff worked with Apple to recover access—an outage that lasted roughly a week.

In January 2025, prosecutors say Potter accessed the district's Schoology learning management system through a Google administrator account and deleted an IT employee’s account, disrupting teacher access for approximately two hours. A week later he allegedly accessed another administrator account and deleted nine Gmail accounts belonging to current and former district employees, including the district’s IT director and superintendent. Prosecutors also reported unauthorized access attempts against the district's GoDaddy account and other online services.

How investigators traced the intrusions and what they found

According to court filings, federal investigators traced some of the activity to IP addresses associated with Potter’s other employers, including Casey’s Store Support Center and The Printer Inc. (TPI). After Potter left TPI in January 2025, prosecutors say he asked a former coworker to retrieve and wipe a USB drive from his desk. The coworker instead turned the drive over to investigators; law enforcement allegedly found spreadsheets on the device containing usernames and passwords for Saydel School District accounts and services. Prosecutors also say Potter switched to using a VPN service after receiving Google security alerts warning of unauthorized account access.

Legal outcome: plea, sentence, supervision, and restitution

Potter pleaded guilty in January 2026 to computer fraud charges under the Computer Fraud and Abuse Act without entering into a plea agreement. On June 11 he was sentenced to 21 months in prison, followed by three years of supervised release. As part of the supervised release conditions, Potter will be subject to restrictions and monitoring related to employment, finances, and computer systems, including searches of electronic devices upon reasonable suspicion. The court ordered Potter to pay $59,668.81 in restitution to the Saydel Community School District and its insurer, Travelers Casualty and Surety Company, for remediation costs related to the attacks.

What this means for school IT teams, Travelers Casualty and Surety Company, and employers with shared networks

  • School IT teams: The episode highlights the operational impact that retained credentials and deleted administrative accounts can inflict—device-management servers, learning platforms, and email access were disrupted, and classroom operations were impaired for hours to weeks. School IT staff and administrators will likely scrutinize account deprovisioning and recovery plans in light of the reported outages.
  • Travelers Casualty and Surety Company (insurer): Travelers is listed as a restitution recipient for $59,668.81, reflecting the insurer’s role in covering remediation costs. The case ties insurer payouts directly to the cost of restoring access, recovering managed devices, and responding to classroom disruptions.
  • Employers with shared networks or overlapping IP footprints (e.g., Casey’s Store Support Center, The Printer Inc.): Federal tracing of activity to IP addresses associated with Potter’s other employers and the recovery of spreadsheets on a workplace USB drive underscore exposure risks when employees move between workplaces without strict controls over removable media and credential hygiene.

The court record in this case offers a narrow, concrete set of facts: a former senior IT specialist retained access after leaving, staged repeated intrusions over 21 months, and caused tangible operational and financial harm to a school district. The sentence, supervised-release conditions, and nearly $60,000 in restitution close one chapter; they also leave a clear question for districts and insurers to answer using their own records and policies—how will credentials, device-management access, and removable-media handling be changed to prevent a similar chain of outages from recurring?

Original story at BleepingComputer

Emerging ThreatsInsider ThreatEducation SectorNation-State Not ApplicableProlonged CyberattackIT SabotageBut Could Be Considered Under Broader Classifications As Domestic ThreatsAccess Credential MisuseExtended Threat Vector
Related Intelligence

Continue Reading

Dimly lit control room with computer screens and industrial systems hinting at hidden network presence.

Chinese Hackers Maintain Decade-Long Spy Operation in Isolated Network

Chinese hackers pulled off a stunning 10-year cyber-espionage heist, infiltrating a supposedly airtight network and gaining unfettered access to every login, command, and secret. The masterminds behind Operation Highland, linked to the Velvet Ant cluster, expertly embedded their digital fingerprints into the network's authentication process.

Analyst 207
Law enforcement officials stand near a podium with symbolic objects, including a laptop and papers, in a brightly-lit…

FBI dismantles $1.9B China cybercrime network

In a major breakthrough, the FBI, with the help of Google and Lumen Technologies, has dismantled a massive $1.9 billion China-based cybercrime network that impersonated trusted brands to scam hundreds of thousands of victims. This coordinated takedown, part of Operation Riptide, seized key infrastructure and domains used by the group.

Analyst 207
University campus scene with students walking near a building, laptop on a bench.

ShinyHunters Exploits Oracle Flaw to Breach Universities

A zero-day flaw in Oracle PeopleSoft PeopleTools, known as CVE-2026-35273, has been exploited by ShinyHunters, potentially infiltrating over 100 organizations, with universities being the hardest hit. This vulnerability allows attackers to execute remote code and take over affected servers, posing a significant threat to higher education institutions.

Analyst 207
Defendant sits in federal court with blurred face, hands visible, in front of judge's bench and US flag.

Conti Ransomware Member Pleads Guilty to Cybercrimes

A longtime member of the notorious Conti ransomware group has pleaded guilty to cybercrimes in federal court, marking a major win for justice after the defendant's attacks caused millions of dollars in damage to people and businesses worldwide. Oleksii Oleksiyovych Lytvynenko, a 44-year-old Ukrainian national, admitted to developing malware and participating in Conti's ransomware campaign.

Analyst 207