London Daily

Focus on the big picture.
Monday, Jul 06, 2026

Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded

Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded

A pair of security workers at a prominent cybersecurity company are contracted by the state of Iowa to conduct “penetration tests” of certain municipal buildings in September, particularly courthouses.

They are arrested in the course of doing their jobs. The charges still have not been dropped, despite admissions by the state of a miscommunication with county authorities.

The incident has sparked concern across the cybersecurity industry, including worries that ramped-up efforts to test voting facilities in advance of the 2020 presidential election may put security professionals at risk.

The state of Iowa contracted with a prominent cybersecurity company to conduct “penetration tests” of certain municipal buildings in September, particularly courthouses.

In September, two employees of the company were arrested in the course of doing their jobs. The charges still have not been dropped.

The incident has sparked concern across the cybersecurity industry, including worries that ramped-up efforts by many firms to test facilities, including voting and election facilities in advance of the 2020 presidential election, may put security professionals at risk.


A common test, an uncommon outcome

A penetration test, often referred to as a “pen test,” is an assessment conducted by a security firm meant to root out technical and physical security flaws that could put data at risk. This can include testing servers to see whether sensitive data can be stolen electronically, or testing facilities to see whether someone could easily break in and gain access to sensitive data or equipment. Pen testers are paid to attempt to break into corporate or government facilities, computers, devices and data centers.

On Sept. 9, Justin Wynn and Gary Demercurio, employees of pen testing firm Coalfire, were attempting to circumvent the security system at a courthouse in Dallas County, Iowa, to gain entry using those “other means.” The pair had already successfully tested two other courthouses, and they’d had positive interactions with authorities there, according to the company’s CEO, Tom McAndrew.

At the Dallas County courthouse, the pair found a door left propped open, McAndrew told CNBC. They closed the door, then attempted to open it again, tripping an alarm in the process.

The protocol in this type of situation is to wait for authorities to arrive, McAndrew said, which Wynn and Demercurio did. At that point, they had a friendly interaction with sheriff’s deputies, he said. The deputies examined their paperwork and credentials. But when a sheriff arrived, they were arrested on burglary charges. They spent a night in jail, and the company had to bail them out.

“It’s not totally unusual to have police involved,” in a pen test, but it is unusual for security professionals to get arrested, McAndrew said.

Even more surprisingly, the two employees are still facing charges in Dallas County, despite having a clear contract outlining that they were hired by the state’s judicial branch to break into the building. McAndrew believes it “might be unprecedented” for contractors arrested during a pen test to face charges.

Local prosecutors could not immediately be reached for comment, and an inquiry to the Iowa governor’s office was not immediately answered.

According to local news reports at the time of the arrest, there appeared to be a miscommunication between the state, which contracted for the pen test, and the county, which had jurisdiction to monitor security at the courthouse. But this should not have been relevant to the issue of whether a crime occurred, McAndrew said.

“I don’t know why they didn’t let them go. They were remanded to jail. We had thought the state was going to work out these issues with the county. Once we were told the charges were going to be reduced and not dropped, we were shocked that this was happening,” McAndrew said.

Iowa Supreme Court Justice Mark Cady apologized to a state Senate committee for the incident last month, according to the Des Moines Register. But some legislators complained that the tests may have posed some sort of “danger” to the public, according to reports.

Coalfire had been engaged with the Iowa Supreme Court for pen testing since 2015, according to an investigation of the incident. A service order allowed for typical pen test services including “tail-gating” — attempting to enter facilities behind an authorized employee with access to all building areas — and “non destructive lock-picking.”


Alarm in the cybersecurity field

These tests are very common, explained David Kennedy, founder and CEO of Binary Defense and Trusted Sec, a cybersecurity consulting firm that also conducts penetration tests.

“I’ve had a lot of discussions with owners of organizations that do this kind of work that are kind of freaking out about this,” Kennedy said. “You look at your job, and the protections you have in place. We try our best to make sure you are getting the full authorization. It’s really a shame these folks were trying to help that facility get better with security.”

Kennedy said that he was arrested in the course of conducting a sanctioned pen test involving an insurance company in 2017. He said his interaction with authorities was positive, and like the Coalfire workers in Iowa, he carried documentation outlining why he was there and for whom he was working. In Kennedy’s case, the police called the phone numbers provided by the company that had contracted with his firm, and ultimately received reassurance that the pen test had been requested.

“We are all watching this very closely, and we are concerned,” Kennedy said.

Casey Ellis, founder and chairman of cybersecurity crowd-testing service Bugcrowd, which deals in organized pen tests for corporations and government agencies, said he sees parallels in Dallas County’s reaction in corporations that are new to pen tests, especially successful ones.

“Oftentimes, when offensive testing is being done, there can be a big overreaction that someone has gone out there and demonstrated impact,” Ellis said. Hackers trying to test vulnerabilities in corporations also have faced legal action as a result of their efforts, something the industry has tried to put legal frameworks around, he said.

Ellis said the incident in Iowa spurred his company to “double-down” on a project it had launched in 2018 called Disclose.io, an open-source project meant to outline guidelines for disclosing vulnerabilities while creating “safe harbor” protocols for researchers looking to disclose vulnerabilities.

Ellis said he is worried about how the incident may limit the reach and effectiveness of pen testers, especially as election and voting facilities are under increasing scrutiny in the runup to the 2020 election.

“People that build systems, whether they can be computer networks or they can be physical buildings, it has a primary function, and the people building it aren’t necessarily thinking about security,” Ellis said. “I can only see the need for this accelerating.”

Newsletter

Related Articles

0:00
0:00
Close
NHS Maternity Reform Expands Central Oversight After Critical National Review
Dover Border Warnings Highlight Post-Brexit Pressure on Cross-Channel Trade
Private Nuclear Consortium Advances £35 Billion Small Reactor Strategy in UK
UK Labour Leadership Signals Shift Toward Reindustrialisation and Regional Power
House of Lords Debates Rail Nationalisation Bill to Create Great British Railways
Scottish Affairs Committee Expands Inquiry Into SNP Financial Conduct
Evri Launches £1.2 Million Defamation Case Against BBC Over Panorama Investigation
Port of Dover Warns of Border Delays as EU Entry-Exit System Looms
Nigel Farage Referred to Standards Watchdog Over Alleged Undeclared Benefits
UK Government Faces Scrutiny Over Claimed AI Datacentre Investment After FOI Findings
UK and India Finalise Trade Agreement Rules Ahead of Mid-July Implementation
UK Government Establishes National Maternity Commissioner After Major Review of NHS Care Failures
Private Consortium Plans £35 Billion UK Nuclear Programme Targeting Small Modular Reactor Rollout
Andy Burnham Sets Out Ten-Year Reindustrialisation and Devolution Plan as Leadership Transition to UK Premiership Advances
Morocco and France Advance as 2026 FIFA World Cup Enters Quarterfinals.
Historic 2026 Tour de France Opens in Barcelona With Revamped Team Time Trial.
Global Mergers and Acquisitions Approach $4 Trillion Defying Geopolitical Tumult.
Negotiators Advance 20-Point Framework for Gaza Ceasefire and Demilitarization.
OECD Warns Middle East Conflict Will Depress Global Economic Growth.
Ukrainian Drones Strike Major Oil Terminal in St. Petersburg.
World Meteorological Organization Issues Urgent Alert Over Rapidly Intensifying El Niño.
United States Commemorates 250th Anniversary With Diplomatic Summits and Global Flotilla.
Iran Begins Days-Long Funeral for Supreme Leader Khamenei Amid Strait of Hormuz Standoff.
Technology giant reports surging carbon emissions driven by artificial intelligence infrastructure demands.
Artificial intelligence adoption accelerates workforce reductions across the technology and financial sectors.
Global technology and financial conglomerates collaborate to launch a new stablecoin standard.
United States regulators lift export restrictions on a major frontier artificial intelligence model.
Royal Society Exhibition Highlights Growing Focus on Public Trust in Science
Energy Costs and Supply Chain Risks Continue to Shape UK Business Strategy
Rapid Rise in Artificial Intelligence Adoption Reshapes UK Corporate Operations, ONS Says
UK Businesses Turn Defensive as Economic Outlook Weakens, Institute of Directors Data Shows
UK Government Faces Criticism Over Late Extension of Pub Hours for England Match
Inquest Continues Into Death of Noah Donohoe as Jury Deliberates Findings
Calls for Stronger Wildlife Attraction Safety Rules After Crocodile Enclosure Injury
City Fire Under Control After Major Blaze Sends Smoke Across Urban Area
Police Investigation Continues After Officer Killed During Road Closure Duties
Blackpool Hotel Fined £120,000 After Electric Shock Incident Involving Child
Whistleblowers Allege Delays in UK Special Educational Needs Support Services
Calls Grow for Improved Support for UK Armed Forces Personnel Facing Health Conditions
Rising UK Energy Price Cap Increase Prompts Wider Concerns Over Household Pressures
UK Businesses Remain Concerned Over Global Conflict Risks to Supply Chains, ONS Finds
Office for National Statistics Reports Rising Adoption of Artificial Intelligence Across UK Businesses
Institute of Directors Reports Deepening Pessimism in UK Business Confidence Index
England Prepare for World Cup Round of 16 Match Against Mexico in Mexico City
Royal Society Summer Science Exhibition Concludes in London After Week-Long Showcase of Research
Silverstone Hosts British Grand Prix as Lando Norris and Lewis Hamilton Lead Home Crowd Expectations
Cornwall Van Dwellers Face Homelessness Risk as Council Tightens Enforcement
Police Investigate Stabbing of Iranian Journalist in London
Rare Copy of US Declaration of Independence Discovered in UK Archive
Department for Education Data Shows Persistent Literacy Gap Among Disadvantaged White Pupils
×