London Daily

Focus on the big picture.
Wednesday, Oct 29, 2025

Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded

Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded

A pair of security workers at a prominent cybersecurity company are contracted by the state of Iowa to conduct “penetration tests” of certain municipal buildings in September, particularly courthouses.

They are arrested in the course of doing their jobs. The charges still have not been dropped, despite admissions by the state of a miscommunication with county authorities.

The incident has sparked concern across the cybersecurity industry, including worries that ramped-up efforts to test voting facilities in advance of the 2020 presidential election may put security professionals at risk.

The state of Iowa contracted with a prominent cybersecurity company to conduct “penetration tests” of certain municipal buildings in September, particularly courthouses.

In September, two employees of the company were arrested in the course of doing their jobs. The charges still have not been dropped.

The incident has sparked concern across the cybersecurity industry, including worries that ramped-up efforts by many firms to test facilities, including voting and election facilities in advance of the 2020 presidential election, may put security professionals at risk.


A common test, an uncommon outcome

A penetration test, often referred to as a “pen test,” is an assessment conducted by a security firm meant to root out technical and physical security flaws that could put data at risk. This can include testing servers to see whether sensitive data can be stolen electronically, or testing facilities to see whether someone could easily break in and gain access to sensitive data or equipment. Pen testers are paid to attempt to break into corporate or government facilities, computers, devices and data centers.

On Sept. 9, Justin Wynn and Gary Demercurio, employees of pen testing firm Coalfire, were attempting to circumvent the security system at a courthouse in Dallas County, Iowa, to gain entry using those “other means.” The pair had already successfully tested two other courthouses, and they’d had positive interactions with authorities there, according to the company’s CEO, Tom McAndrew.

At the Dallas County courthouse, the pair found a door left propped open, McAndrew told CNBC. They closed the door, then attempted to open it again, tripping an alarm in the process.

The protocol in this type of situation is to wait for authorities to arrive, McAndrew said, which Wynn and Demercurio did. At that point, they had a friendly interaction with sheriff’s deputies, he said. The deputies examined their paperwork and credentials. But when a sheriff arrived, they were arrested on burglary charges. They spent a night in jail, and the company had to bail them out.

“It’s not totally unusual to have police involved,” in a pen test, but it is unusual for security professionals to get arrested, McAndrew said.

Even more surprisingly, the two employees are still facing charges in Dallas County, despite having a clear contract outlining that they were hired by the state’s judicial branch to break into the building. McAndrew believes it “might be unprecedented” for contractors arrested during a pen test to face charges.

Local prosecutors could not immediately be reached for comment, and an inquiry to the Iowa governor’s office was not immediately answered.

According to local news reports at the time of the arrest, there appeared to be a miscommunication between the state, which contracted for the pen test, and the county, which had jurisdiction to monitor security at the courthouse. But this should not have been relevant to the issue of whether a crime occurred, McAndrew said.

“I don’t know why they didn’t let them go. They were remanded to jail. We had thought the state was going to work out these issues with the county. Once we were told the charges were going to be reduced and not dropped, we were shocked that this was happening,” McAndrew said.

Iowa Supreme Court Justice Mark Cady apologized to a state Senate committee for the incident last month, according to the Des Moines Register. But some legislators complained that the tests may have posed some sort of “danger” to the public, according to reports.

Coalfire had been engaged with the Iowa Supreme Court for pen testing since 2015, according to an investigation of the incident. A service order allowed for typical pen test services including “tail-gating” — attempting to enter facilities behind an authorized employee with access to all building areas — and “non destructive lock-picking.”


Alarm in the cybersecurity field

These tests are very common, explained David Kennedy, founder and CEO of Binary Defense and Trusted Sec, a cybersecurity consulting firm that also conducts penetration tests.

“I’ve had a lot of discussions with owners of organizations that do this kind of work that are kind of freaking out about this,” Kennedy said. “You look at your job, and the protections you have in place. We try our best to make sure you are getting the full authorization. It’s really a shame these folks were trying to help that facility get better with security.”

Kennedy said that he was arrested in the course of conducting a sanctioned pen test involving an insurance company in 2017. He said his interaction with authorities was positive, and like the Coalfire workers in Iowa, he carried documentation outlining why he was there and for whom he was working. In Kennedy’s case, the police called the phone numbers provided by the company that had contracted with his firm, and ultimately received reassurance that the pen test had been requested.

“We are all watching this very closely, and we are concerned,” Kennedy said.

Casey Ellis, founder and chairman of cybersecurity crowd-testing service Bugcrowd, which deals in organized pen tests for corporations and government agencies, said he sees parallels in Dallas County’s reaction in corporations that are new to pen tests, especially successful ones.

“Oftentimes, when offensive testing is being done, there can be a big overreaction that someone has gone out there and demonstrated impact,” Ellis said. Hackers trying to test vulnerabilities in corporations also have faced legal action as a result of their efforts, something the industry has tried to put legal frameworks around, he said.

Ellis said the incident in Iowa spurred his company to “double-down” on a project it had launched in 2018 called Disclose.io, an open-source project meant to outline guidelines for disclosing vulnerabilities while creating “safe harbor” protocols for researchers looking to disclose vulnerabilities.

Ellis said he is worried about how the incident may limit the reach and effectiveness of pen testers, especially as election and voting facilities are under increasing scrutiny in the runup to the 2020 election.

“People that build systems, whether they can be computer networks or they can be physical buildings, it has a primary function, and the people building it aren’t necessarily thinking about security,” Ellis said. “I can only see the need for this accelerating.”

Newsletter

Related Articles

0:00
0:00
Close
Bill Gates at 70: “I Have a Real Fear of Artificial Intelligence – and Also Regret”
Elon Musk Unveils Grokipedia: An AI-Driven Alternative to Wikipedia
Saudi Arabia Unveils Vision for First-Ever "Sky Stadium" Suspended Over Desert Floor
Amazon Announces 14 000 Corporate Job Cuts as AI Investment Accelerates
UK Shop Prices Fall for First Time Since March, Food Leads the Decline
London Stock Exchange Group ADR (LNSTY) Earns Zacks Rank #1 Upgrade on Rising Earnings Outlook
Soap legend Tony Adams, long-time star of Crossroads, dies at 84
Rachel Reeves Signals Tax Increases Ahead of November Budget Amid £20-50 Billion Fiscal Gap
NatWest Past Gains of 314% Spotlight Opportunity — But Some Key Risks Remain
UK Launches ‘Golden Age’ of Nuclear with £38 Billion Sizewell C Approval
UK Announces £1.08 Billion Budget for Offshore Wind Auction to Boost 2030 Capacity
UK Seeks Steel Alliance with EU and US to Counter China’s Over-Capacity
UK Struggles to Balance China as Both Strategic Threat and Valued Trading Partner
Argentina’s Markets Surge as Milei’s Party Secures Major Win
British Journalist Sami Hamdi Detained by U.S. Authorities After Visa Revocation Amid Israel-Gaza Commentary
King Charles Unveils UK’s First LGBT+ Armed Forces Memorial at National Memorial Arboretum
At ninety-two and re-elected: Paul Biya secures eighth term in Cameroon amid unrest
Racist Incidents Against UK Nurses Surge by 55%
UK Chancellor Rachel Reeves Cites Shared Concerns With Trump Administration as Foundation for Early US-UK Trade Deal
Essentra plc: A Closer Look at a UK ‘Penny Stock’ Opportunity Amid Market Weakness
U.S. and China Near Deal to Avert Rare-Earth Export Controls Ahead of Trump-Xi Summit
Justin time: Justin Herbert Shields Madison Beer with Impressive Reflex at Lakers Game
Russia’s President Putin Declares Burevestnik Nuclear Cruise Missile Ready for Deployment
Giuffre’s Memoir Alleges Maxwell Claimed Sexual Act with Clooney
House Republicans Move to Strip NYC Mayoral Front-Runner Zohran Mamdani of U.S. Citizenship
Record-High Spoiled Ballots Signal Voter Discontent in Ireland’s 2025 Presidential Election
Philippines’ Taal Volcano Erupts Overnight with 2.4 km Ash Plume
Albania’s Virtual AI 'Minister' Diella Set to 'Birth' Eighty-Three Digital Assistants for MPs
Tesla Unveils Vision for Optimus V3 as ‘Biggest Product of All Time’, Including Surgical Capabilities
Francis Ford Coppola Auctions Luxury Watches After Self-Financed Film Flop
Convicted Sex Offender Mistakenly Freed by UK Prison Service Arrested in London
United States and China Begin Constructive Trade Negotiations Ahead of Trump–Xi Summit
U.S. Treasury Sanctions Colombia’s President Gustavo Petro over Drug-Trafficking Allegations
Miss USA Crowns Nebraska’s Audrey Eckert Amid Leadership Overhaul
‘I Am Not Done’: Kamala Harris Signals Possible 2028 White House Run
NBA Faces Integrity Crisis After Mass Arrests in Gambling Scandal
Swift Heist at the Louvre Sees Eight French Crown Jewels Stolen in Under Seven Minutes
U.S. Halts Trade Talks with Canada After Ontario Ad Using Reagan Voice Triggers Diplomatic Fallout
Microsoft AI CEO: ‘We’re making an AI that you can trust your kids to use’ — but can Microsoft rebuild its own trust before fixing the industry’s?
China and Russia Deploy Seductive Espionage Networks to Infiltrate U.S. Tech Sector
Apple’s ‘iPhone Air’ Collapses After One Month — Another Major Misstep for the Tech Giant
Graham Potter Begins New Chapter as Sweden Head Coach on Short-Term Deal
Ecuadorian President Daniel Noboa Alleges Poison Plot via Chocolate and Jam
Lakestar to Halt External Fundraising as Investor in Revolut and Spotify
U.S. Innovation Ranking Under Scrutiny as China Leads Output Outputs but Ranks 10th
Three Men Arrested in London on Suspicion of Spying for Russia
Porsche Reverses EV Strategy as New CEO Bets on Petrol and Hybrids
Singapore’s Prime Minister Warns of ‘Messy’ Transition to Post-American Global Order
Andreessen Horowitz Sets Sights on Ten-Billion-Dollar Fund for Tech Surge
US Administration Under President Donald Trump Reportedly Lifts Ban on Ukraine’s Use of Storm Shadow Missiles Against Russia
×