Introduction
For twenty-one months, a former IT technician at an Iowa school district ran a series of targeted attacks against his ex-employer — from home, using credentials no one had ever taken away. On June 11, 2026, Ezekiel Dean Potter, 34, was sentenced to twenty-one months in federal prison and three years of supervised release for violations of the Computer Fraud and Abuse Act. This case is instructive — not because the attacks were technically sophisticated, but because of what they expose about a widespread organizational blind spot: IT offboarding.
A Departure With No Clean Break
Potter had worked as a senior support technician at the Saydel Community School District, in the Des Moines area, from May 2022 to April 2023. When his contract ended, he should have lost all access to his former employer's systems. That didn't happen.
Leveraging credentials that were never revoked, he launched a methodical sabotage campaign. The district's Facebook page was deleted. Access to Apple School Manager — a core platform for managing student devices and accounts — was compromised, resulting in the deletion of credentials, phone numbers, and fleet management data, causing nearly a week of educational disruption. He then targeted the Schoology learning platform, deleted an IT administrator's account, and triggered two hours of classroom downtime. Nine employee Gmail accounts — including those of the IT director and the school principal — were also wiped. To cover his tracks, Potter consistently routed his connections through a VPN.
Total remediation costs for the district and its insurer came to nearly $60,000.
A USB Drive in His New Desk Drawer
Potter's downfall also illustrates the risks of poor individual credential hygiene. It was a colleague at his next employer who ended the affair: they discovered a USB drive containing usernames and passwords belonging to school district accounts and handed it over to authorities. Months after leaving the role, the former technician was still storing his ex-employer's credentials on a personal physical device.
IT Offboarding Is a Security Operation, Not an HR Formality
What this case exposes is less a technical vulnerability than an organizational failure. Access revocation upon departure — whether voluntary or involuntary — is too often treated as just another administrative task, buried in an incomplete HR checklist and nobody's top priority.
Yet in any organization where IT teams manage access across dozens of services — cloud accounts, SaaS tools, corporate directories, business platforms — the risk of residual access is significant. A forgotten account with a SaaS vendor, an API token that never expired, a shared non-personal login: each of these can become an entry point for a disgruntled former employee or an outside attacker who has gotten hold of credentials still in circulation.
Best practices are well-documented: immediate and systematic access revocation at the moment of departure, a full audit of access granted over the entire duration of employment, ownership transfer for service accounts, and periodic permission reviews to catch dormant accounts before they become liabilities. Implementation, however, remains inconsistent — particularly in mid-sized organizations where IT operates in reactive mode.
What Organizations Need to Take Away
Potter's sentencing closes a legal case. It does not resolve the structural question it raises. Every departure involving an employee with broad system privileges is a risk event if it isn't governed by a rigorous IT offboarding protocol. In the case of the Saydel Community School District, the absence of that protocol cost $60,000, caused several weeks of educational disruption, and exposed the personal data of students and staff alike.
For B2B organizations, the stakes are typically higher: customer data, production environment access, control over financial or contract management tools. A botched offboarding doesn't just cost money to fix. It also costs money to explain.