Most school cyber incidents don’t start with a “hacker in a hoodie.” Sometimes it’s simpler: someone who already knows the systems, already knows the people, and still has a way in. Prosecutors say that’s what happened at Saydel Community School District, where a former IT support specialist allegedly kept credentials after leaving and targeted district systems for roughly 21 months . Let’s break down what the damage looked like, how investigators connected the dots, what the penalties were, and what K-12 teams can do so “former employee access” stops being a long-running problem.
What “quiet access” looks like in a real school environment
When a former employee retained credentials, it doesn’t look like a Hollywood breach. It looks like small, sharp cuts that keep landing. In the Saydel Community School District case, prosecutors said the activity stretched across platforms that K-12 teams rely on every day—social media, device management, domains, and classroom systems.
It starts with “annoying,” then turns operational
One of the first alleged hits was simple: the district’s Facebook page was deleted.
That sounds “non-IT,” but schools use Facebook for weather closures, event updates, and quick community messaging. Rebuilding isn’t just PR work; it’s time, access recovery, and reputational cleanup.
Then it moved into systems that can actually stop instruction.
Apple School Manager: a quiet way to freeze devices district-wide
Prosecutors said the former IT worker later targeted Apple School Manager (ASM), deleting user accounts, passwords, phone numbers, billing info, and device management server data.
In plain terms, this is how a K-12 environment gets jammed up fast:
- Teachers and IT lose admin access to the Apple management console
- MacBooks and iPads can’t be managed (apps, settings, restrictions, deployment)
- Recovery turns into a vendor escalation loop; in this case, it allegedly took roughly a week to get device management back while staff worked with Apple
That’s “quiet access” in action: no ransomware note, just systems that suddenly don’t cooperate.
“Constant pressure” attacks: resets, lockouts, and account pokes
Prosecutors also described repeated attempts to reset employee usernames and passwords across “various platforms and accounts.”
This kind of post-employment access attempt is brutal because it forces staff into defensive mode—helpdesk tickets, frantic password changes, and staff who stop trusting login prompts.
The district also reportedly saw unauthorized access attempts against its GoDaddy account and other services.
For a school, the domain registrar isn’t a side detail. If an attacker controls DNS, they can redirect staff and students to fake sign-in pages, break email routing, or knock key services offline.
Schoology + Google Admin: where classroom disruption shows up
The most visible impact hits when learning tools go down. Prosecutors said that in January 2025, the attacker accessed Schoology through a Google administrator account and deleted an IT employee’s account—disrupting teacher access and impacting classes for about two hours.
A week later, prosecutors say another administrator account was used to delete nine Gmail accounts, including accounts belonging to the district’s IT director and superintendent.
If you’ve worked in K-12 IT, you already know what those two sentences mean on the ground:
- Teachers can’t get into the LMS, can’t post materials, can’t take attendance the normal way.
- Staff lose access to email threads tied to parent communications, scheduling, vendor billing, and approvals.
- IT gets pulled from planned work into emergency recovery.
This is what an “ex employee retained credentials” school district cyberattack can look like: not a single explosion, but a series of targeted disruptions that drain time, money, and attention—exactly because the attacker already knows which accounts matter.
How investigators tied it back to a former employee (and why attackers switch tactics)
When a school district sees repeated account abuse, the big question is always the same: Is this an outside attacker, or someone who already knows the environment? In the Saydel case, investigators had two things that matter in court: network breadcrumbs and a physical paper trail.
Breadcrumb #1: IP addresses that point to real places
A lot of “ex-employee cyberattack” cases start with basic log review. If an attacker isn’t careful, their sign-ins show up with source IP addresses that map back to locations tied to their day-to-day life.
Federal investigators eventually traced some of the activity to IP addresses associated with the former employee’s other workplaces, including Casey’s Store Support Center and The Printer Inc. (TPI).
That’s a big deal because it’s not a vague attribution story. It’s specific enough to support interviews, subpoenas, and timelines.
Why this matters for K-12 teams
- Your Google Workspace / Microsoft / VPN logs aren’t “just logs.” They’re evidence.
- IP + timestamp can connect school district unauthorized access attempts to a person’s routine.
Breadcrumb #2: attackers adjust after they get caught on alerts
Attackers pay attention when they trigger security warnings. Court filings said the defendant switched to using a VPN service after receiving Google security alerts warning of unauthorized account access.
This is a pattern K-12 defenders should expect:
- Early phase: direct logins from home or work IPs (easy for investigators to trace).
- After alerts/fire drills: VPN usage and more cautious access paths.
- Long tail: fewer obvious clues, more “low and slow” attempts.
So if your team gets Google security alerts and the weird logins suddenly “stop,” don’t relax. Sometimes it just means the attacker upgraded their approach.
The “paper trail you can hold”: the USB drive
Digital trails help. Physical artifacts close cases.
After the former employee left TPI in January 2025, prosecutors said he asked a former coworker to retrieve and wipe a USB drive from his desk.
Instead, the coworker turned it over to investigators, who allegedly found spreadsheets containing usernames and passwords for Saydel School District accounts and services.
That’s the nightmare scenario behind sloppy offboarding: retained credentials aren’t just memorized—they can be stored, organized, and reused.
A practical takeaway (without adding work you can’t sustain)
If your district is trying to cut down the blast radius of retained credentials, focus on controls that force an attacker to have more than “just the password”:
- Two-factor authentication on admin accounts and high-impact services
- Alerts for new sign-in locations, impossible travel, and admin role use
- A habit of treating repeated password resets as a real incident, not a helpdesk annoyance
This is also where tools like Cloaked can fit in a practical way for staff workflows: using masked emails/phones for vendor accounts reduces how often personal identifiers get tied to access and password recovery paths. It doesn’t replace offboarding, but it can remove an easy handle attackers like to grab.
The cost is real: sentencing, restitution, and the hidden price of disruption
Once investigators can tie the activity to a person, the story stops being “weird IT issues” and starts being criminal exposure.
In this case, the former school district IT employee was sentenced to 21 months in prison.
The sentence also included three years of supervised release.
The part most people miss: post-prison restrictions can be intense
Supervised release isn’t a slap on the wrist. Court filings said the supervised release conditions included restrictions and monitoring related to employment, finances, and computer systems, including searches of electronic devices upon reasonable suspicion.
If you’re reading this as a K-12 leader, that detail matters for one reason: when a former employee attacks a district, it’s not “a technical prank.” The system treats it as serious harm with real consequences.
Restitution: the dollar figure schools actually feel
The court also ordered $59,668.81 in restitution to the Saydel Community School District and its insurer, Travelers Casualty and Surety Company, tied to remediation costs.
That number is easy to read and hard to live through because it’s usually made up of unglamorous work:
- Extra staff hours spent on recovery and verification
- Vendor support tickets and escalation calls
- Emergency changes that create new break/fix issues
The hidden price: disruption is a tax you pay in hours, not headlines
Reporting around the case described a prolonged cyberattack that disrupted classroom operations, involved deleted accounts, and caused “tens of thousands of dollars in damages.”
That’s the operational lesson for every district worried about an ex employee retained credentials scenario: the damage isn’t only what gets deleted. It’s the ripple effect—lost time, missed instruction, and IT teams stuck doing reactive work.
And it all gets more likely when offboarding is loose: old admin access left active, shared credentials that never get rotated, and recovery paths (email/phone) that still point to people who’ve moved on.
A K-12 offboarding playbook that shuts the door fast (and shows you if it re-opens)
The restitution number is what shows up on paper. The real bill is paid in scrambled mornings, emergency vendor calls, and weeks of “why is this still happening?” A big chunk of that pain comes from one gap: ex-employee access that wasn’t shut down cleanly.
This case is a blunt reminder of the basics: disable admin access and rotate credentials when IT staff leave.
Part 1: The 24-hour offboarding shutdown (do this even if you’re short-staffed)
If someone had privileged access, treat their departure like an incident until proven otherwise.
Same day (hours, not days):
- Disable the identity first
- Google Workspace / Microsoft account: suspend, revoke sessions, reset password
- SSO account (if used): disable and revoke tokens
- Kill privileged paths
- Remove all admin roles (even “temporary” ones)
- Disable VPN accounts, RDP/remote tools, and break-glass access paths
- Rotate what they might know
- Shared passwords (team vault entries, “department logins”)
- Any static secrets stored in scripts, printers, network gear, Wi‑Fi, switches
Within 24 hours:
- Force a reset on accounts tied to operations and teaching:
- Google Admin super admins and delegated admins
- Apple School Manager admins
- LMS admins (Schoology, Canvas, etc.)
- Domain registrar (ex: GoDaddy) and DNS
- Payment/communications systems (meal payments, messaging, website CMS)
Why so aggressive? Because prosecutors said the attacker in this case retained credentials and kept targeting systems over time.
Part 2: Admin and vendor platform lock-down (where schools get burned)
K-12 districts run on third-party platforms. Offboarding has to cover vendor consoles, not just network logins.
Do an “admin map” review:
- List every platform with admin capability (Google, Apple, LMS, registrar, backups)
- For each platform, answer:
- Who are the admins?
- What’s the recovery email/phone?
- Is MFA enforced for admins?
- Are there shared accounts? If yes, why?
If the recovery email/phone points to a person who left, you’ve left a side door open.
This is one of the few spots where something like Cloaked can be a practical helper without adding busywork: using masked emails/phones for vendor accounts can reduce how often password recovery flows depend on personal identifiers that walk out the door with staff. Keep it documented in your offboarding checklist so it doesn’t become “mystery contact info” later.
Part 3: “Show me it re-opened” monitoring (because attackers change tactics)
In this case, court filings said the attacker switched to a VPN after Google security alerts warned of unauthorized access. That’s the pattern: once you start blocking, the behavior changes.
Set up alerts that make persistence obvious:
High-signal alerts to turn on:
- Repeated failed logins for former employee accounts (even if disabled)
- Password reset attempts and recovery-email changes
- Admin role grants (new super admin, new delegated admin)
- Mass deletes (users, mailboxes, devices, courses)
- New sign-in locations / new devices for admin accounts
Operational rule that keeps you safe:
- If “someone keeps trying,” treat it as an incident.
- Open a ticket, preserve logs, escalate internally
- Don’t wait for the next deletion to justify action
Part 4: Make it hard to keep secrets after leaving
Prosecutors said investigators found spreadsheets with usernames and passwords for district services on a USB drive. You can’t control someone’s USB drive, but you can control what secrets still work.
Controls that reduce retained-credential risk fast:
- Enforce MFA on admin accounts (no exceptions)
- Eliminate shared accounts where possible; if you can’t, rotate passwords on separation
- Use role-based admin access (least privilege), reviewed on a schedule
- Centralize credential storage in an approved vault with access logging
None of this is fancy. It’s just disciplined offboarding. The payoff is simple: even if a former employee kept a login, it stops being a 21-month problem.
