A school district’s former IT employee used retained credentials to disrupt core systems for nearly two years, showing how insider access failures can become a student privacy and continuity crisis.
What happened
A former IT support worker for Iowa’s Saydel Community School District has been sentenced to 21 months in prison after sabotaging systems used by staff, teachers, and students after his firing in April 2023.
According to the reported court record, Ezekiel Dean Potter had collected more than 300 district usernames and passwords before leaving the job. Between May 2023 and January 2025, he used that access to delete the district’s Facebook page, interfere with Apple School Manager, attempt access changes in GoDaddy, enter Google and Gmail accounts, and disrupt the district’s PowerSchool Schoology learning platform.
The most direct classroom impact came in January 2025, when Potter deleted an IT staff account tied to the district’s learning environment. Teachers were locked out during a school day, disrupting instruction for about two hours. A week later, he deleted nine more Gmail accounts, including accounts tied to current and former staff, the IT director, and the superintendent.
Investigators later found a USB drive containing spreadsheets with more than 300 district usernames and passwords, a floor plan for Saydel High School, personal data, and pay records. The district reported $73,375 in costs for lost staff time, forensics, downtime, and vendor remediation. Its insurer paid another $27,893.75, bringing total losses to $101,268.81. Potter was also ordered to pay restitution totaling $59,668.81.
Legal basis
The criminal case is fundamentally about unauthorized access and intentional damage to computer systems. In the United States, conduct like this is commonly prosecuted under the Computer Fraud and Abuse Act, which covers unauthorized access to protected computers and damage caused through that access.
For privacy and data protection, the case also shows why security rules under regimes such as the GDPR and California’s CCPA, as amended by the CPRA matter even when a particular incident may not fall directly under those laws. Saydel is an Iowa public school district, so the CCPA’s main obligations, which focus on covered for-profit businesses, would not normally apply to the district itself. GDPR would generally apply only if an organization processes personal data of people in the EU in a covered context.
The principles are still relevant. GDPR Article 5 requires personal data to be handled with integrity and confidentiality. GDPR Article 32 requires appropriate technical and organizational security measures, including access control, resilience, and procedures for restoring access after an incident. If a comparable breach occurred at a GDPR-covered organization, regulators could examine whether credentials were properly revoked, whether privileged access was monitored, and whether the organization could detect misuse quickly. GDPR penalties can reach up to 10 million euros or 2 percent of global annual turnover for some security failures, and higher tiers can apply for more serious violations.
Under the CCPA and CPRA framework, California consumers may have a private right of action when certain personal information is exposed because a covered business failed to maintain reasonable security. The California Privacy Protection Agency also enforces privacy obligations through regulations and administrative penalties. For companies that serve schools, including cloud, identity, device management, and learning platform vendors, this matters because a school incident can implicate both contractual security duties and statutory privacy obligations.
Other education-specific rules may also matter. In the United States, student data is often governed by FERPA, which protects education records, and by state student privacy laws. If children’s online services are involved, COPPA may also be relevant. The facts reported here center on sabotage and credential misuse, but the presence of school accounts, staff accounts, learning systems, and device management data makes this more than a routine IT dispute.
Impact on users and companies
For students and families, the harm is not limited to whether a spreadsheet of passwords was copied. A school system is a daily operating environment. Identity systems, email, device management, learning platforms, and administrator accounts determine whether teachers can teach, students can access assignments, and staff can protect records.
That is why insider incidents are especially damaging in education. A former employee may understand which accounts matter, which systems are under-monitored, which vendors are difficult to recover through, and which actions will cause the most disruption. In this case, the reported deletion of Apple School Manager data affected management of Macs and iPads. The Schoology disruption affected classroom instruction. The deleted Gmail accounts hit senior staff and IT leadership.
For the district, the financial cost reached six figures before counting harder-to-measure damage such as staff stress, lost classroom time, parent concern, and reduced trust. For vendors and insurers, the incident is a reminder that schools are not low-risk clients simply because they are public institutions. They hold sensitive records, depend on cloud identity systems, and often operate with small IT teams.
For companies, the lesson is direct: employee departure is a security event. Termination should trigger immediate credential revocation, session invalidation, device recovery, token rotation, review of shared accounts, audit log preservation, and verification of privileged roles across every major platform. That includes Google Workspace, Microsoft 365, Apple School Manager, domain registrars, learning management systems, social media accounts, backup systems, and identity providers.
A serious compliance program cannot treat offboarding as a human resources checklist alone. Privacy law increasingly judges security by outcomes and process. Regulators ask whether access was limited to what was necessary, whether privileged activity was logged, whether credentials were protected, and whether the organization responded quickly once signs of misuse appeared.
What changes
The sentence sends a clear message to employees with privileged access: keeping or using credentials after leaving a job can turn a workplace grievance into a felony. But punishment after the fact does not protect students during an incident. The more useful change is preventive.
Schools and companies should move away from shared administrator accounts wherever possible. Each privileged user should have a named account, multi-factor authentication, role-based permissions, and logging that ties actions to a person. Emergency accounts should exist, but they should be tightly controlled, monitored, and rotated after use.
Offboarding should include a written system inventory. If an employee had access to Apple School Manager, Google Workspace, GoDaddy, social media, device management, finance systems, backups, and learning platforms, every one of those systems needs a confirmed access removal record. Password changes alone are not enough if OAuth tokens, recovery emails, API keys, backup codes, mobile device profiles, or delegated admin roles remain active.
Organizations should also monitor for delayed misuse. Potter’s reported conduct stretched from 2023 into 2025. That timeline matters because many insider cases do not end when the employee leaves. Dormant access can sit unnoticed until a later login, account deletion, or configuration change causes visible damage.
For GDPR-covered organizations, this means access reviews, logging, and incident response are not paperwork. They are evidence of whether security measures were appropriate. For CCPA-covered businesses, reasonable security requires more than written policy. It requires practical controls that stop old credentials from becoming live weapons.
The affected parties here were not only administrators and IT staff. Students lost instructional time. Teachers lost access to classroom tools. The district lost money and operational confidence. That is the rights-focused core of the story: identity security protects people, not just networks.
Comments
Please log in or register to join the discussion