Charges dropped against Coalfire security team who broke into courthouse during pen test

Miscommunication led to arrests during a midnight physical security test.
Written by Charlie Osborne, Contributing Writer

Charges have been dropped against a pair of cybersecurity experts who were arrested during a midnight physical penetration test against an Iowa courthouse. 

The saga began on September 11, 2019, in which Colorado-based Coalfire was hired to perform an assessment of the security of electronic records kept in the Dallas County Courthouse in Iowa. Two employees, Gary DeMercurio and Justin Wynn, were equipped with the tools required to break into the courthouse and entered the building in the middle of the night. 

An alarm was triggered and the Coalfire team was arrested, despite their protests that the break-in was a legal test of law enforcement response times on behalf of the State Court Administration (SCA), the body which hired Coalfire in the beginning. 

The penetration testing contract outlined both physical and digital tests during Coalfire's assessment, the team said in an interview with Brian Krebs. Afterhours testing was reportedly requested by the client and the team was to attempt to get into the courthouse but to not circumvent the alarm or perform destructive entry. 

See also: Magecart group jumps from Olympic ticket website to new wave of e-commerce shops

The cybersecurity professionals handed over a copy of the contract to the response team, designed to be a "get out of jail free" paper. While at this point they were free and clear, once Dallas County Sheriff Chad Leonard arrived and threatened to arrest them, the tone changed and charges were laid at their feet. Bail was set at $100,000 between the duo and they spent roughly 24 hours in jail.  

SCA confirmed that Coalfire had been hired to conduct tests, but said at the time, "SCA did not intend, or anticipate, those efforts to include the forced entry into a building."

Both men were charged with felony burglary in the third degree as well as the possession of burglary tools, later downgraded to trespass. However, Dallas County Attorney Charles Sinnard has decided to dismiss these charges following discussions between Coalfire, the Dallas County Sheriff, and the attorney himself. 

CNET: Huawei ban: Full timeline as Britain gives Huawei approval to build its non-core 5G network

In a statement published last week, the penetration testing company said:

"It was the intention of the Dallas County Sheriff to protect the citizens of Dallas County and the State of Iowa by ensuring the integrity of the Dallas County Courthouse. It was also the intention of Coalfire to aid in protecting the citizens of the State of Iowa, by testing the security of information maintained by the Judicial Branch, pursuant to a contract with State Court Administration."

Coalfire added that persuing the charges against the penetration testing team was not in the public interest; instead, improving communication channels between cybersecurity firms and legal entities should be the priority.   

"We are pleased that all charges are dropped in the Iowa incident," said Coalfire CEO Tom McAndrew. "With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement."

TechRepublic: Hackers using coronavirus scare to spread Emotet malware in Japan

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards