← Back to Daily Briefing

A former Senior IT Support Specialist, Ezekiel Dean Potter, executed an 18-month cyber sabotage campaign against the Saydel Independent School District after his termination in April 2023. The attacker leveraged retained administrative credentials that were not revoked during the offboarding process to gain unauthorized access to district systems. This persistence enabled the deletion of critical user accounts and the disruption of classroom operational telemetry. The breach resulted in tens of thousands of dollars in financial losses and culminated in a 21-month federal prison sentence following a forensic audit of authentication logs and system telemetry.

  • Incident Overview: Privileged Insider Sabotage

    • Threat Actor: Ezekiel Dean Potter, a former privileged employee with deep internal system knowledge.
    • Duration: Sustained malicious activity lasting 18 months post-termination.
    • Objective: Intentional operational disruption and data sabotage.
  • Attack Vector: Offboarding Lifecycle Failure

    • Credential Persistence: Failure to execute a comprehensive identity revocation process upon employee exit.
    • Access Method: Utilization of valid, unrevoked administrative and user credentials to bypass perimeter defenses.
    • Technical Vector: Exploitation of stale accounts within the district's identity management framework.
  • Operational Impact: Systemic Disruption

    • Identity Sabotage: Deliberate deletion of critical user accounts to impede district operations.
    • Classroom Interference: Direct disruption of instructional technology and classroom telemetry.
    • Financial Loss: Direct damages and remediation costs totaling tens of thousands of dollars.
  • Forensics and Attribution

    • Log Analysis: Identification of unauthorized authentication events linked to the defendant's retained credentials.
    • Audit Trails: Forensic reconstruction of account deletion records and system modification logs.
    • Legal Outcome: Federal prosecution leading to a 21-month prison sentence.
  • Defensive Implications for CISOs

    • IAM Hardening: Necessity of automated, synchronized account disabling across all directories and SaaS platforms during offboarding.
    • Privileged Access Management (PAM): Implementation of Just-in-Time (JIT) access to eliminate permanent high-level privileges.
    • Monitoring: Deployment of behavioral alerts for authentication attempts by deactivated or dormant identities.

Related posts

  1. bleepingcomputer.com — Ex-school district employee jailed for hacks on former employer
  2. immuniweb.com — A Former School District IT Employee Sentenced For Hacking Employer
  3. Youtube
  4. Dysruptionhub
  5. Privacyneedle
  6. App
  7. Justice

LINK COPIED TO CLIPBOARD