Pen test goes pear-shaped: cybersecurity firm staff arrested over courthouse burglary

Updated: A midnight raid was not what court administrators had in mind for electronic record security tests.

Cybersecurity: Clicking email links could put your data at risk Social engineering is by far the biggest factor in malicious hacking campaigns, warn researchers – so how can it be stopped?

When State court administration (SCA) asked a cybersecurity firm to conduct an assessment of the safety of electronic records kept in Dallas County, the discovery of men in the building in the middle of the night was not what court officials had in mind. 

Nevertheless, when law enforcement responded to an alarm on September 11 at 12.30am, two employees of the contracted company, Colorado-based Coalfire, were found in the Dallas County Courthouse equipped with burglary tools. 

The men were arrested, despite their protestations that they had been contracted to conduct a security test on SCA's behalf, and the late-night walkabout around the building was part of the deal. 

As reported by the Des Moines Register, the 29 and 43-year-old told law enforcement they were contracted to test the courthouse alarm system and the response time of the police, but Dallas County officials had not been informed of the experiment. 

On September 11, SCA confirmed the men worked for the contracted cybersecurity company, which was "asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities."

However, "SCA did not intend, or anticipate, those efforts to include the forced entry into a building."

CNET: The best password managers of 2019 and how to use them

Both men have been charged with burglary in the third degree and the possession of burglary tools. They will appear on September 23 in front of a judge for a preliminary hearing. 

Court administrators have apologized to the Dallas County Board of Supervisors and police.

In an updated statement, posted September 13, SCA said the group has been made aware of a "similar" break-in at the Polk County Historic Courthouse, but "has no other information to share at this time."

"State court administration does not condone forcible entry into any building as a part of cyber-security or any other type of testing," SCA added. 

TechRepublic: Cybercriminals set sights on bot attacks and mobile apps

Coalfire has not responded to requests for comment at the time of publication. The company told SC Magazine that over 10,000 security assessments have been conducted since 2001, and "employees work diligently to ensure our engagements are conducted with utmost integrity and in alignment with the objectives of our client." However, Coalfire said it cannot comment further on the situation as an active legal matter. 

In related news, another cybersecurity firm has become embroiled with law enforcement after Israeli police raided the offices of Ability Computer & Software and Ability Security Systems. 

See also: Israeli police arrest execs from vendor of mobile surveillance tech

The Ability Inc. subsidiaries were raided as part of an ongoing investigation into the firm's export practices; specifically, the sale of software outside Israel's borders may fall foul of the country's laws. 

Update 13.20 BST: Coalfire has released the following statement:

"Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process. To that end, the Iowa Judicial Branch and Coalfire will each conduct independent reviews and release the contractual documents executed between both parties.

We are providing this statement only to clarify an unfortunate set of events; since this is an evolving legal matter and involves confidential client work, we cannot comment on further details of the incident at this time."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0