Coalfire arrests: Charges against US pen testers finally dropped

Red teamers exonerated

Charges against two US security consultants who were arrested during a physical security test at an Iowa courthouse last September have been dropped.

Justin Wynn and Gary DeMercurio, workers at security consultancy Coalfire, were arrested while in the process of conducting a physical penetration test and initially charged with burglary before charges were later reduced to criminal trespass.

The state of Iowa had hired Coalfire to test courthouse security. A key aspect of the case is whether the state judicial system had the right to authorize a physical pen test for a courthouse building owned and operated by the county.

The two security consultants initially gained access to the judicial buildings through an open door during normal business hours on September 11, 2019. They left and then returned to the courthouse shortly after midnight and “intentionally tripped the alarm in order to test the security response”.

Law enforcement responded to the alarm and arrested the pair despite a presented letter that authorized their work from the Iowa State Judicial Branch.

Dallas County Iowa Sheriff Chad Leonard told The Daily Swig that he arrested the two security workers because what they were doing “went outside the scope of their contract”.

In a statement on Thursday, Coalfire said all charges against its two workers had been dropped. The Dallas County Attorney decided to dismiss trespass charges against the Coalfire employees following discussions between prosecutors, representatives of the security firm, and the Dallas County Sheriff.

The diplomatically worded statement acknowledged that it was the “intention of the Dallas County Sheriff to protect the citizens of Dallas County and the State of Iowa by ensuring the integrity of the Dallas County Courthouse” while suggesting the arrests were unnecessary and expressing the hope that similar incidents can be avoided in future.

“We are pleased that all charges are dropped in the Iowa incident,” said Coalfire CEO Tom McAndrew.

Coalfire’s statement said that some good had come from the high-profile incident in that it had helped raise awareness about the “critical role red team penetration testing plays in defending the integrity of public and private sector commerce”.

Even though the prosecution of the Coalfire pair failed to set a precedent, it did create concerns among infosec professionals, particularly those involved in pen testing. The decision to drop the case was therefore welcomed by members of the community.

Infosec professional Alyssa Miller commented on Twitter: “So glad in the long run the county attorney got this right. Also good on @CoalfireSys for keeping a positive message even though they'd be well within their rights to blast this Sheriff for creating this situation.”

RELATED Coalfire arrests: Charges against US pen testers reduced but not dropped