Iowa hired a cybersecurity firm to do penetration testing, then arrested its workers
In brief: With data breaches and ransomware attacks seemingly occurring weekly, Iowa state officials thought it would be an opportune time to have professionals test the security at government facilities around the state. So it hired cybersecurity firm Coalfire to conduct penetration testing (pen testing) on both infrastructure components like servers and physical building access. Then something else happened…
In one of its tests back in September, two Coalfire employees found a door at the Dallas County Courthouse wide open. They entered the building and intentionally set off an alarm to test law enforcement response, which was part of the job. As per the company’s policy, the security workers waited for the police to show up to show them their paperwork proving they were hired to check the security of the building.
Initially, the first deputies on the scene checked their documentation and said they were “good to go.” However, the local sheriff arrived within minutes and arrested them. The employees were charged with third-degree felony burglary and possession of burglary tools. They spent the night in jail, and Coalfire posted their excessive $100,000 bail the next day.
The company and its workers expected the state to drop the charges quickly since it had a contract to do pen testing at the courthouse, but it has boiled in to what appears to be a dispute between jurisdictional officials.
“Failing to de-escalate the issue and bring in State/County politics, Sheriff Leonard communicated in an email ‘that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in.'”
According to Coalfire, the incident was caused by the state not being on the same page as Coalfire in the scope of the contract, and the local sheriff not being clued-in on the job.
“Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work,” said the firm in a press release back in September. “Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement.”
At the time, Coalfire was confident that it could work out the misunderstanding by coming together with officials to discuss the confidential details of the contract. However, the charges were only reduced to criminal trespassing instead.
In a statement, Coalfire CEO Tom McAndrew said, “The ongoing situation in Iowa is completely ridiculous, and I hope that the citizens of Iowa continue to push for justice and common sense. Today, we found out that charges against [our] employees at the center of the Dallas County Courthouse incident … have been reduced from felony accusations of Burglary in the third-degree and possession of burglary tools to criminal trespass.”
“I do not consider this a “win” for our employees, and Coalfire will continue to support and aggressively pursue all avenues to ensure that all charges are dropped and their criminal records are purged of any wrongdoing,” McAndrew added.
“My hope is that the officials involved in this case will appropriately consider the context in which the actions of our employees were performed and the ongoing dispute between the state and the county related to governance of the court buildings.”
The ramifications of this incident are far broader than just a beef between Coalfire and state officials. If the employees are not exonerated on all charges, it could have lasting effects on whether other security firms that do pen testing choose to take jobs with state and municipal authorities.
Hopefully, the issue will be settled without the need for further litigation. It would seem that the sheriff, in this case, made a bad call, and it probably would not hold up under a jury trial, but it should not go that far.
“Sheriff Leonard failed to exercise common sense and good judgement [sic] and turned this engagement into a political battle between the State and the County,” McAndrew said. “I spoke with the team immediately after their release and promised to do everything I could to get this resolved. I intend to keep my promise. The fact that this case is still ongoing is a failure of the criminal justice system in Iowa.”