Full Report
A lot of insider threat reports this week, it seems. This one is from the U.S. Attorney’s Office, Southern District of Iowa: DES MOINES, Iowa – On October 15, 2025, a federal grand jury in Des Moines charged a Des Moines man with computer fraud. The Indictment alleges that Ezekiel Dean Potter, 34, after being... Source
Analysis Summary
# Incident Report: Unauthorized Access and System Disruption by Terminated Employee
## Executive Summary
A former employee, Ezekiel Dean Potter, was formally charged with computer fraud on October 15, 2025, for unauthorized access to his previous employer's computer systems following his termination in April 2023. For over 18 months, the individual reset credentials and revoked access rights, causing widespread operational disruption and resulting in tens of thousands of dollars in losses for the employer. The incident is currently under investigation by the FBI.
## Incident Details
- Discovery Date: Not explicitly stated (Access was ongoing from May 2023 until at least January 2025)
- Incident Date: Ongoing between May 14, 2023, and January 16, 2025.
- Affected Organization: Unnamed Employer (Mentioned in the U.S. Attorney's Office filing)
- Sector: Unspecified (Based on context, likely corporate/business operations)
- Geography: Des Moines, Iowa (Location of indictment and employer/perpetrator)
## Timeline of Events
### Initial Access
- Date/Time: May 14, 2023 (Start date of alleged illicit activity following termination in April 2023)
- Vector: Exploited residual access or credentials following employment termination.
- Details: Ezekiel Dean Potter allegedly accessed or attempted to access the employer’s computer systems without authorization.
### Lateral Movement
- Not explicitly detailed, but actions suggest access persisted across multiple accounts.
### Data Exfiltration/Impact
- **System Manipulation:** Reset usernames and passwords for employer accounts.
- **Access Revocation:** Deleted or revoked access rights for employer accounts.
- **Impact:** Caused widespread disruption to the employer’s operations.
### Detection & Response
- **Detection:** Not detailed when internal detection occurred, but the matter led to a federal indictment.
- **Response actions taken:** The case was investigated by the Federal Bureau of Investigation (FBI) with assistance from the Polk County Sheriff’s Office, leading to a federal grand jury indictment on October 15, 2025.
## Attack Methodology
This incident primarily involved misuse of **Post-Employment Access** combined with **Account Takeover**.
- Initial Access: Unauthorized access after termination.
- Persistence: Conducted activities over a prolonged period (May 2023 – Jan 2025).
- Privilege Escalation: Not explicitly stated, but likely involved maintaining or regaining elevated access post-termination.
- Defense Evasion: The unauthorized actions were successfully performed over an extended period without immediate prevention.
- Credential Access: Potentially involved reusing old credentials or exploiting weak deprovisioning processes.
- Discovery: Internal reconnaissance likely occurred to identify critical accounts.
- Lateral Movement: Suggested by the ability to target and manipulate multiple employer accounts.
- Collection: Not the primary goal; focus was on disruption.
- Exfiltration: Not mentioned as the primary activity.
- Impact: Destruction/disruption of authorized user access and operational continuity.
## Impact Assessment
- Financial: Tens of thousands of dollars in losses to the employer.
- Data Breach: No indication of mass data exfiltration mentioned; impact was on system usability and access control.
- Operational: Widespread disruption to the employer’s operations.
- Reputational: Not assessed based on the provided information.
## Indicators of Compromise
*Note: Since this is a summary of a charging document rather than a detailed forensic report, specific IoCs are unavailable.*
- **Network indicators:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Repeated unauthorized logins/actions following termination; Mass modification of user account credentials and access rights.
## Response Actions
- **Containment:** Not detailed, but likely involved immediate forced password resets, account lockouts, and potentially system segmentation/audits targeting the duration of the malicious activity.
- **Eradication:** Identifying and revoking all residual access held by the terminated employee.
- **Recovery:** Restoring access rights and normalizing operations after the disruption caused by credential loss/revocation.
## Lessons Learned
- **Offboarding Security:** The primary lesson is the critical failure in the termination process (April 2023) to immediately revoke all forms of system access, allowing unauthorized persistence for 1.5 years.
- **Proactive Monitoring:** A failure to detect ongoing unauthorized activity for 20 months suggests weak continuous monitoring for anomalous post-termination behavior.
## Recommendations
- **Implement Zero-Trust De-provisioning:** Ensure all system access (network, cloud, VPN, critical applications) is immediately terminated upon employee departure, especially for recently separated personnel.
- **Behavioral Anomaly Detection:** Deploy tools capable of detecting attempts to access company resources using former employee credentials or patterns inconsistent with current employee roles.
- **Access Auditing:** Conduct mandatory, time-bound audits of privileged and administrative accounts following any termination to ensure integrity.