London Daily

Focus on the big picture.
Saturday, Jul 18, 2026

Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded

Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded

A pair of security workers at a prominent cybersecurity company are contracted by the state of Iowa to conduct “penetration tests” of certain municipal buildings in September, particularly courthouses.

They are arrested in the course of doing their jobs. The charges still have not been dropped, despite admissions by the state of a miscommunication with county authorities.

The incident has sparked concern across the cybersecurity industry, including worries that ramped-up efforts to test voting facilities in advance of the 2020 presidential election may put security professionals at risk.

The state of Iowa contracted with a prominent cybersecurity company to conduct “penetration tests” of certain municipal buildings in September, particularly courthouses.

In September, two employees of the company were arrested in the course of doing their jobs. The charges still have not been dropped.

The incident has sparked concern across the cybersecurity industry, including worries that ramped-up efforts by many firms to test facilities, including voting and election facilities in advance of the 2020 presidential election, may put security professionals at risk.


A common test, an uncommon outcome

A penetration test, often referred to as a “pen test,” is an assessment conducted by a security firm meant to root out technical and physical security flaws that could put data at risk. This can include testing servers to see whether sensitive data can be stolen electronically, or testing facilities to see whether someone could easily break in and gain access to sensitive data or equipment. Pen testers are paid to attempt to break into corporate or government facilities, computers, devices and data centers.

On Sept. 9, Justin Wynn and Gary Demercurio, employees of pen testing firm Coalfire, were attempting to circumvent the security system at a courthouse in Dallas County, Iowa, to gain entry using those “other means.” The pair had already successfully tested two other courthouses, and they’d had positive interactions with authorities there, according to the company’s CEO, Tom McAndrew.

At the Dallas County courthouse, the pair found a door left propped open, McAndrew told CNBC. They closed the door, then attempted to open it again, tripping an alarm in the process.

The protocol in this type of situation is to wait for authorities to arrive, McAndrew said, which Wynn and Demercurio did. At that point, they had a friendly interaction with sheriff’s deputies, he said. The deputies examined their paperwork and credentials. But when a sheriff arrived, they were arrested on burglary charges. They spent a night in jail, and the company had to bail them out.

“It’s not totally unusual to have police involved,” in a pen test, but it is unusual for security professionals to get arrested, McAndrew said.

Even more surprisingly, the two employees are still facing charges in Dallas County, despite having a clear contract outlining that they were hired by the state’s judicial branch to break into the building. McAndrew believes it “might be unprecedented” for contractors arrested during a pen test to face charges.

Local prosecutors could not immediately be reached for comment, and an inquiry to the Iowa governor’s office was not immediately answered.

According to local news reports at the time of the arrest, there appeared to be a miscommunication between the state, which contracted for the pen test, and the county, which had jurisdiction to monitor security at the courthouse. But this should not have been relevant to the issue of whether a crime occurred, McAndrew said.

“I don’t know why they didn’t let them go. They were remanded to jail. We had thought the state was going to work out these issues with the county. Once we were told the charges were going to be reduced and not dropped, we were shocked that this was happening,” McAndrew said.

Iowa Supreme Court Justice Mark Cady apologized to a state Senate committee for the incident last month, according to the Des Moines Register. But some legislators complained that the tests may have posed some sort of “danger” to the public, according to reports.

Coalfire had been engaged with the Iowa Supreme Court for pen testing since 2015, according to an investigation of the incident. A service order allowed for typical pen test services including “tail-gating” — attempting to enter facilities behind an authorized employee with access to all building areas — and “non destructive lock-picking.”


Alarm in the cybersecurity field

These tests are very common, explained David Kennedy, founder and CEO of Binary Defense and Trusted Sec, a cybersecurity consulting firm that also conducts penetration tests.

“I’ve had a lot of discussions with owners of organizations that do this kind of work that are kind of freaking out about this,” Kennedy said. “You look at your job, and the protections you have in place. We try our best to make sure you are getting the full authorization. It’s really a shame these folks were trying to help that facility get better with security.”

Kennedy said that he was arrested in the course of conducting a sanctioned pen test involving an insurance company in 2017. He said his interaction with authorities was positive, and like the Coalfire workers in Iowa, he carried documentation outlining why he was there and for whom he was working. In Kennedy’s case, the police called the phone numbers provided by the company that had contracted with his firm, and ultimately received reassurance that the pen test had been requested.

“We are all watching this very closely, and we are concerned,” Kennedy said.

Casey Ellis, founder and chairman of cybersecurity crowd-testing service Bugcrowd, which deals in organized pen tests for corporations and government agencies, said he sees parallels in Dallas County’s reaction in corporations that are new to pen tests, especially successful ones.

“Oftentimes, when offensive testing is being done, there can be a big overreaction that someone has gone out there and demonstrated impact,” Ellis said. Hackers trying to test vulnerabilities in corporations also have faced legal action as a result of their efforts, something the industry has tried to put legal frameworks around, he said.

Ellis said the incident in Iowa spurred his company to “double-down” on a project it had launched in 2018 called Disclose.io, an open-source project meant to outline guidelines for disclosing vulnerabilities while creating “safe harbor” protocols for researchers looking to disclose vulnerabilities.

Ellis said he is worried about how the incident may limit the reach and effectiveness of pen testers, especially as election and voting facilities are under increasing scrutiny in the runup to the 2020 election.

“People that build systems, whether they can be computer networks or they can be physical buildings, it has a primary function, and the people building it aren’t necessarily thinking about security,” Ellis said. “I can only see the need for this accelerating.”

Newsletter

Related Articles

0:00
0:00
Close
For 36 Years, He Scammed About 300 Luxury Hotels — Until He Was Caught
England's World Cup Exit Expected to Cost Hospitality and Retail £334 Million
Former ICC Prosecutor Aide Speaks Publicly About Allegations Against Karim Khan
Opposition Raises Questions Over June Heatwave Power Grid Pressures
Mastercard Explores Sale of Majority Stake in UK Payments Operator Vocalink
Boeing Forecasts Global Commercial Aircraft Fleet Will Double by 2045
London GP Surgeries Receive £18 Million to Expand Primary Care Capacity
Health Advisers Recommend Nationwide Meningitis B Vaccination for Teenagers
OECD Warns UK Economy Faces Slower Growth and Weak Productivity
Treasury Places Major Global Cloud Providers Under Direct Financial Oversight
Financial Markets Rally as Shabana Mahmood Emerges as Leading Treasury Candidate
Incoming Government Prepares Thames Water Nationalisation and New North Sea Drilling Approvals
UK Government Plans Deep Cuts to Bilateral Aid for African Nations
United States and Iran Exchange Direct Strikes for Seventh Consecutive Night
Incoming Prime Minister Andy Burnham Confirmed as Labour Leader Ahead of Downing Street Handover
Britain Nationalises British Steel to Protect Scunthorpe Production and Strategic Supply
Andy Burnham Takes Labour Leadership and Prepares to Become Britain’s Seventh Prime Minister in a Decade
Tech Companies Want to Move Computing Off Your Screen and Onto Your Body
White House Teleprompter Operator Earned More Than $100,000 From Bets Linked to the President's Speeches
French Prime Minister Survives No-Confidence Vote After Controversial Budget Cuts
European Commission Opens Excessive Deficit Procedure Against France
French Senate Blocks Key Immigration Reform Measures
French Government Pushes EU Action Against Ultra-Fast Fashion Imports
French Parliament Debates Expanded Autonomy Powers for Corsica
France Reopens Autonomy Talks With New Caledonia After Months of Unrest
Bordeaux Wine Producers Seek Three Hundred Million Euro Aid Package After Export Collapse
French Farmers Block Spain Border Crossings Over Imported Food Competition
Cannes Film Festival Bans Fully Artificial Intelligence-Generated Films From Competition
TotalEnergies Shifts More Than Three Billion Euros of Green Investment From Europe to the United States
LVMH Chief Executive Bernard Arnault Presents Succession Plan for Luxury Empire
Kering Reports Fifteen Percent Revenue Drop as Chinese Luxury Demand Weakens
Sanofi Reports Positive Results From Messenger RNA Respiratory Vaccine Trials
France Places Energy Price Caps Under Review to Protect Households Through Winter
EDF Connects Two New Nuclear Reactors to France’s Electricity Grid
Mistral Secures European Commission Contract for Sovereign Artificial Intelligence Models
Renault Opens Next-Generation Electric Battery Plant in Northern France
Air France Signs Two Billion Euro Sustainable Aviation Fuel Deal to Cut Emissions
Marseille Launches Three Billion Euro Port Expansion to Strengthen Mediterranean Trade Role
French-Owned Ubisoft Announces Global Restructuring With Nearly One Thousand Job Cuts
National Railway Operator Suspends Artificial Intelligence Ticket Pricing System After Consumer Backlash
United Kingdom to Ban Sales of High-Caffeine Energy Drinks to Under-Sixteens
Home Office Designates Iranian and Russian Paramilitary Groups as National Security Threats
National Health Service Launches Housing Plan to Retain London Healthcare Workers
British Heatwave Fuels Wildfires and Emergency Evacuations in Scotland
United Kingdom and Estonia Sign Defence Agreement to Strengthen NATO’s Eastern Flank
United Kingdom Cuts Bilateral Aid to African Nations by More Than Eighty Percent
Bank of England Overhauls Banking Rules to Encourage More Lending to Businesses
United Kingdom and India Free Trade Agreement Enters Into Force, Reshaping Bilateral Economic Ties
Andy Burnham Confirmed as New Labour Leader and Prime Minister-Designate
UK Government Faces Pressure Over Extreme Heat Workplace Rules
×