London Daily

Focus on the big picture.
Wednesday, Jul 15, 2026

Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded

Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded

A pair of security workers at a prominent cybersecurity company are contracted by the state of Iowa to conduct “penetration tests” of certain municipal buildings in September, particularly courthouses.

They are arrested in the course of doing their jobs. The charges still have not been dropped, despite admissions by the state of a miscommunication with county authorities.

The incident has sparked concern across the cybersecurity industry, including worries that ramped-up efforts to test voting facilities in advance of the 2020 presidential election may put security professionals at risk.

The state of Iowa contracted with a prominent cybersecurity company to conduct “penetration tests” of certain municipal buildings in September, particularly courthouses.

In September, two employees of the company were arrested in the course of doing their jobs. The charges still have not been dropped.

The incident has sparked concern across the cybersecurity industry, including worries that ramped-up efforts by many firms to test facilities, including voting and election facilities in advance of the 2020 presidential election, may put security professionals at risk.


A common test, an uncommon outcome

A penetration test, often referred to as a “pen test,” is an assessment conducted by a security firm meant to root out technical and physical security flaws that could put data at risk. This can include testing servers to see whether sensitive data can be stolen electronically, or testing facilities to see whether someone could easily break in and gain access to sensitive data or equipment. Pen testers are paid to attempt to break into corporate or government facilities, computers, devices and data centers.

On Sept. 9, Justin Wynn and Gary Demercurio, employees of pen testing firm Coalfire, were attempting to circumvent the security system at a courthouse in Dallas County, Iowa, to gain entry using those “other means.” The pair had already successfully tested two other courthouses, and they’d had positive interactions with authorities there, according to the company’s CEO, Tom McAndrew.

At the Dallas County courthouse, the pair found a door left propped open, McAndrew told CNBC. They closed the door, then attempted to open it again, tripping an alarm in the process.

The protocol in this type of situation is to wait for authorities to arrive, McAndrew said, which Wynn and Demercurio did. At that point, they had a friendly interaction with sheriff’s deputies, he said. The deputies examined their paperwork and credentials. But when a sheriff arrived, they were arrested on burglary charges. They spent a night in jail, and the company had to bail them out.

“It’s not totally unusual to have police involved,” in a pen test, but it is unusual for security professionals to get arrested, McAndrew said.

Even more surprisingly, the two employees are still facing charges in Dallas County, despite having a clear contract outlining that they were hired by the state’s judicial branch to break into the building. McAndrew believes it “might be unprecedented” for contractors arrested during a pen test to face charges.

Local prosecutors could not immediately be reached for comment, and an inquiry to the Iowa governor’s office was not immediately answered.

According to local news reports at the time of the arrest, there appeared to be a miscommunication between the state, which contracted for the pen test, and the county, which had jurisdiction to monitor security at the courthouse. But this should not have been relevant to the issue of whether a crime occurred, McAndrew said.

“I don’t know why they didn’t let them go. They were remanded to jail. We had thought the state was going to work out these issues with the county. Once we were told the charges were going to be reduced and not dropped, we were shocked that this was happening,” McAndrew said.

Iowa Supreme Court Justice Mark Cady apologized to a state Senate committee for the incident last month, according to the Des Moines Register. But some legislators complained that the tests may have posed some sort of “danger” to the public, according to reports.

Coalfire had been engaged with the Iowa Supreme Court for pen testing since 2015, according to an investigation of the incident. A service order allowed for typical pen test services including “tail-gating” — attempting to enter facilities behind an authorized employee with access to all building areas — and “non destructive lock-picking.”


Alarm in the cybersecurity field

These tests are very common, explained David Kennedy, founder and CEO of Binary Defense and Trusted Sec, a cybersecurity consulting firm that also conducts penetration tests.

“I’ve had a lot of discussions with owners of organizations that do this kind of work that are kind of freaking out about this,” Kennedy said. “You look at your job, and the protections you have in place. We try our best to make sure you are getting the full authorization. It’s really a shame these folks were trying to help that facility get better with security.”

Kennedy said that he was arrested in the course of conducting a sanctioned pen test involving an insurance company in 2017. He said his interaction with authorities was positive, and like the Coalfire workers in Iowa, he carried documentation outlining why he was there and for whom he was working. In Kennedy’s case, the police called the phone numbers provided by the company that had contracted with his firm, and ultimately received reassurance that the pen test had been requested.

“We are all watching this very closely, and we are concerned,” Kennedy said.

Casey Ellis, founder and chairman of cybersecurity crowd-testing service Bugcrowd, which deals in organized pen tests for corporations and government agencies, said he sees parallels in Dallas County’s reaction in corporations that are new to pen tests, especially successful ones.

“Oftentimes, when offensive testing is being done, there can be a big overreaction that someone has gone out there and demonstrated impact,” Ellis said. Hackers trying to test vulnerabilities in corporations also have faced legal action as a result of their efforts, something the industry has tried to put legal frameworks around, he said.

Ellis said the incident in Iowa spurred his company to “double-down” on a project it had launched in 2018 called Disclose.io, an open-source project meant to outline guidelines for disclosing vulnerabilities while creating “safe harbor” protocols for researchers looking to disclose vulnerabilities.

Ellis said he is worried about how the incident may limit the reach and effectiveness of pen testers, especially as election and voting facilities are under increasing scrutiny in the runup to the 2020 election.

“People that build systems, whether they can be computer networks or they can be physical buildings, it has a primary function, and the people building it aren’t necessarily thinking about security,” Ellis said. “I can only see the need for this accelerating.”

Newsletter

Related Articles

0:00
0:00
Close
Forget Tinder: The Surprising Platform Where People Find Love
Harvard Astrophysicist to Lead U.S. Scientific Advisory on Unidentified Aerial Phenomena
On the Island That Did Not Yield to Trump, There Is No Electricity, and 10 Million Live in Darkness
Emergency Sirens Activated Across Bahrain as Interior Ministry Issues Shelter Directives
Key Trends to Watch
United Nations Expert Calls for Full Implementation of Supreme Court Ruling on Legal Definition of Sex
Industry Coalition Urges Labour Lawmakers to Back Continued North Sea Oil and Gas Production
Parliamentary Committee Calls for Tougher Restrictions on Unhealthy Food Advertising
Government Expands Awaab's Law to Cover Heat and Additional Housing Hazards
Energy Regulator Opens Independent Investigation Into National Grid Operator
United Kingdom and European Union Sign Landmark Gibraltar Border Agreement
Chancellor Unveils Financial Services Reform and Artificial Intelligence Strategy at Mansion House
Counterterrorism Police Take Over Investigation Into Killing of Former Minister Ann Widdecombe
Beer Industry Warns UK Rules Could Limit Growth of Alcohol-Free Market
Home Office Faces Legal Challenges Over Asylum Seeker Accommodation Closures
UK Heatwaves Linked to More Than Two Thousand Seven Hundred Deaths as Climate Debate Intensifies
Home Secretary Faces Pressure Over Political Security After Ann Widdecombe Murder Investigation
United Kingdom Opens Trade Consultation With Indonesia, Philippines, United Arab Emirates and Uruguay
Robert Jenrick Joins Reform UK After Leaving Conservative Party Leadership Role
Counter-Terrorism Police Take Over Investigation into Murder of Former MP Ann Widdecombe
Andy Burnham Secures Strong Labour Backing in Race to Succeed Keir Starmer
Global Markets Slide as Middle East Conflict Escalation Sends Oil Prices Higher
UK Prime Minister Keir Starmer Offers Condolences Following Death of Qatar’s Father Amir
UK Regional Innovation Policy Focuses on Research Clusters Across Scotland, Wales, and Northern England
UK Corporate Transparency Rules Set to Become More Strict Under Modern Slavery Reform Plans
UK Civil Service Estate Strategy Shifts Government Activity Away From London
UK Strengthens National Security Powers Through New Threat Designations
Greater Manchester Police Conduct Drink and Drug Driving Operations After Football Events
UK Government Advances Darlington Economic Campus With Construction Milestone
UK Authorities Increase Football-Related Security Operations After Tournament Fixtures
UK Invests Fifty-One Million Pounds in National Cryogenics Facility and Regional Innovation Hubs
UK Moves Toward Tougher Modern Slavery Reporting Rules With Corporate Penalties
UK Government Reports Forty-Three Million Pounds in Savings From Office Estate Reform
UK Government Expands Civil Service Regional Strategy With Manchester and Darlington Campus Projects
UK Designates Iran’s Islamic Revolutionary Guard Corps as National Security Threat
United Kingdom Financial Markets Monitor Business Response to Economic Policy Changes
Scottish Renewable Energy Expansion Highlights Need for Faster Grid Development
Wales and Regions Strengthen Focus on Economic Development Through Tourism and Investment
Retail Industry Warns High Street Businesses Remain Under Pressure
Police Chiefs Highlight Growing Challenges Managing Protests and Public Order
Agriculture Leaders Seek Clarity on Post-Brexit Farming Support and Environmental Rules
Transport Unions Warn of Further Industrial Action Over Pay and Working Conditions
Welsh Tourism Sector Reports Strong Growth Driven by Domestic and International Visitors
National Infrastructure Review Gains Support as Leaders Seek Faster Project Delivery
Financial Markets Assess Impact of United Kingdom Corporate Tax Policy Changes
Northern Ireland Assembly Debates Cross-Border Trade and Infrastructure Cooperation Plans
Government Opens Consultations on Housing Reform and Planning System Changes
Scottish Government Faces Pressure to Accelerate Offshore Wind and Grid Expansion
National Energy System Operator Warns Grid Investment Is Needed for Future Electricity Demand Growth
United Kingdom Research Council Invests in Artificial Intelligence and Biotechnology Innovation Hubs
×