Pentesters arrested at Iowa courthouse will receive $600,000 settlement

Two security professionals arrested in 2019 after performing an authorized assessment of the Dallas County Courthouse in Iowa will receive $600,000 to settle a lawsuit they brought alleging wrongful arrest and defamation, the report says. Gary DeMercurio and Justin Wynn were penetration testers employed by Coalfire Labs and had written authorization from the Iowa Judicial Branch to conduct "red-team" exercises intended to test the resilience of existing defenses using real-world attack techniques.

The rules of engagement for the exercise explicitly permitted "physical attacks," including "lockpicking," against judicial branch buildings so long as they didn’t cause significant damage. The engagement on September 11, 2019, began after the men found a side door to the courthouse unlocked; they closed it and let it lock, then slipped a makeshift tool through a crack in the door to trip the locking mechanism.

After gaining entry, the pentesters tripped an alarm alerting authorities, the report says. Despite the written authorization, DeMercurio and Wynn were arrested on charges of felony third-degree burglary and spent about 20 hours in jail before being released on $100,000 bail ($50,000 for each).

The charges were later reduced to misdemeanor trespassing, but Chad Leonard, sheriff of Dallas County, continued to allege publicly that the men had acted illegally and should be prosecuted. The report notes reputational harm can be severe for security professionals.

gary demercurio, justin wynn, coalfire labs, dallas county courthouse, iowa judicial branch authorization, red-team exercises, authorized lockpicking, $600,000 settlement, wrongful arrest lawsuit, penetration testers, misdemeanor trespassing, felony third-degree burglary, released on $100,000 bail