Security Testers Charged With Breaking Into Iowa Courthouses Cleared Of All Criminal Charges

The two men, who worked for Coalfire Labs, were caught up in a miscommunication between local law enforcement and the Iowa judicial branch, which hired the security firm to conduct testing.

• By Haley Samsel
• Feb 04, 2020

Two penetration testers employed by Coalfire Labs, a security firm, were cleared of all criminal charges on Thursday after they were arrested and jailed in September for breaking into an Iowa courthouse -- a task they were hired to do in a contract signed by the Iowa judicial system.

Justin Wynn and Gary De Mercurio had been charged with third-degree burglary and possession of burglary tools after they were caught attempting to break into the Dallas County Courthouse last year. Upon the police’s arrival, the two men informed law enforcement that they were breaking in as part of security testing for Iowa’s court system, according to The Des Moines Register.

However, local law enforcement were unaware of these plans and said that the State Court Administration lacked the authority to allow the testers to enter the property. Wynn and De Mercurio spent more than 12 hours in jail until they were released on bail.

Since then, the court system has said that the Coalfire employees acted outside of the scope of the contract and that they had been hired to find cybersecurity vulnerabilities, not break into courthouses. But the security firm said that it was following through on a contract to test the security of government buildings and outside access to records.

The chief justice of the Iowa Supreme Court apologized to legislators and the public for the mishandling of the contract in October. Following a senate hearing, the judicial branch released new policies on security tests, with one requirement to notify local law enforcement prior to testing.

After news of the contract between Coalfire and the Iowa government became public, Dallas County Attorney Charles Sinnard reduced the charges against Wynn and De Mercurio to trespassing but continued to prosecute. On Thursday, Coalfire leaders and Sinnard announced that the charges had been officially dropped.

“Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges,” Coalfire officials and Sinnard wrote in a joint statement published by Ars Technica. “Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the Judicial Branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing.”

Coalfire CEO Tom McAndrew added that he hopes a “a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement.”

De Mercurio and Wynn’s lawyer, Matthew Linholm, said in a statement that he was frustrated that his clients were ever arrested for doing their jobs and that the felony arrests will remain on their permanent record.

“This entire ordeal could have been avoided by simply respecting the fact finding that the responding law enforcement officer conducted which verified the work was authorized by the Judicial Branch,” Linholm said. “Unfortunately, the lack of communication between government entities, an ignorance of the law, personal pride and politics overrode the objective investigation conducted by responding law enforcement.”

He added that the two men plan to share their experiences in an “effort to help educate others” on security testing and the consequences of their ordeal.