Full Report
Iowan’s scheme undone after misplacing trust in former coworker
Analysis Summary
# Incident Report: Insider Sabotage of Saydel Community School District
## Executive Summary
A former IT support worker, Ezekiel Dean Potter, engaged in a sustained campaign of cyber sabotage against the Saydel Community School District (SCSD) for nearly 20 months following his termination. Using stolen credentials for over 300 accounts, Potter deleted critical infrastructure, locked out staff, and disrupted educational activities. The incident resulted in over $101,000 in damages and led to a 21-month federal prison sentence for the perpetrator.
## Incident Details
- **Discovery Date:** January 2025 (Final escalation); October 2025 (Indictment)
- **Incident Date:** May 2023 – January 2025
- **Affected Organization:** Saydel Community School District (SCSD)
- **Sector:** Education
- **Geography:** Iowa, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-April 2023 (Prior to termination)
- **Vector:** Authorized Insider Access
- **Details:** Before being fired, Potter harvested and stored credentials for more than 300 user accounts on a personal USB drive.
### Lateral Movement/Persistence
- **May 2023 - Jan 2025:** Potter maintained access using the stolen credentials.
- **June 1, 2023:** Deleted the district’s Facebook page using admin privileges.
- **June 14, 2023:** Compromised Apple School Manager, deleting passwords, billing info, and MDM server data.
- **July - August 2023:** Repeatedly accessed the district’s GoDaddy account (26 times) to attempt credential resets.
- **October 2024:** Successfully gained access to District Google/Gmail accounts.
### Data Exfiltration/Impact
- **Permanent Deletion:** The original district Facebook page was permanently lost.
- **Service Disruption:** In January 2025, Potter deleted an IT staff member's Schoology account, locking out teachers and halting instruction for two hours during a school day.
- **Communication Sabotage:** Deleted nine Gmail accounts belonging to the Superintendent, IT Director, and various staff.
### Detection & Response
- **Discovery:** Triggered by the January 2025 Schoology/Gmail deletions and subsequent IP tracing.
- **The "Undo" Factor:** Potter asked a coworker at his new job (The Printer Inc) to wipe a USB drive left in his desk. The coworker instead turned the drive over to management.
- **Response:** Law enforcement and the FBI performed forensics on the USB drive, finding the spreadsheet of 300+ credentials and district maps.
## Attack Methodology
- **Initial Access:** Valid accounts (Insider threat).
- **Persistence:** Stolen credentials stored on a physical USB drive; use of VPNs during later stages.
- **Privilege Escalation:** Use of high-level administrative credentials (MDM, GoDaddy, Facebook) obtained while employed.
- **Defense Evasion:** Use of a VPN to mask IP addresses during the final attacks in 2025.
- **Credential Access:** Credential harvesting of 300+ accounts prior to termination.
- **Discovery:** Accessing high school floor plans and system architectures.
- **Lateral Movement:** Authenticating across multiple cloud platforms (GoDaddy, Google, Apple, Schoology).
- **Collection:** Gathering sensitive payroll, billing, and system configuration data.
- **Impact:** System sabotage, account deletion, and operational downtime.
## Impact Assessment
- **Financial:** Total losses of $101,268.81 ($73k in internal costs/vendors; $28k in insurance payouts).
- **Data Breach:** Compromise of 300+ sets of credentials and administrative control over core school platforms.
- **Operational:** Teachers unable to teach for several hours; loss of historical social media presence; significant IT remediation time.
- **Reputational:** Public disruption of school services and loss of district communication channels.
## Indicators of Compromise
- **Network:** Access to GoDaddy/Google accounts from unauthorized IPs (including IPs assigned to Casey’s and The Printer Inc).
- **File:** Spreadsheets containing cleartext credentials and "Saydel High School Floor Plan."
- **Behavioral:** Deletion of administrative accounts by a user no longer employed; rapid, unauthorized password reset attempts.
## Response Actions
- **Containment:** Coordination with Apple and GoDaddy to regain control of administrative portals.
- **Eradication:** Rebuilding the district’s social media presence and Google accounts.
- **Recovery:** Forensic investigation by the FBI and private firms to determine the extent of the harvested data.
- **Legal:** Potter was indicted in October 2025 and sentenced to 21 months in prison in June 2026.
## Lessons Learned
- **Offboarding Gaps:** Administrative privileges and access to third-party accounts (Facebook, GoDaddy, Apple) were not revoked immediately upon the employee's termination.
- **Lack of MFA:** The ability of a former employee to repeatedly log in from new, unauthorized locations suggests a lack of robust Multi-Factor Authentication (MFA).
- **Insider Threat Monitoring:** No alerts were triggered by a single user logging into critical accounts dozens of times over a year after termination.
## Recommendations
- **Automated Offboarding:** Implement "kill switches" to revoke all SSO and third-party access simultaneously when an IT employee is terminated.
- **MFA Implementation:** Mandate hardware-based or app-based MFA for all administrative portals (DNS, Cloud Management, Social Media).
- **Least Privilege:** Ensure no single IT staff member has "keys to the kingdom" without oversight or logging.
- **Asset Control:** Ensure all company-issued devices are recovered and wiped immediately upon termination.