The incident occurred in September. The Coalfire employees found a door to the Dallas Courthouse open. They closed the door to see if it would lock and then attempted to open it, setting off an alarm. Following protocol, they waited for police to arrive, and showed them their paperwork. The first deputies to respond told the employees they were “good to go.” But moments later, a local sheriff showed up and arrested them.
The Coalfire employees spent the night in jail, and as if that weren’t bad enough, they were charged with felony accusations of burglary in the third-degree and possession of burglary tools. Their bail was set to $100,000. Coalfire expected the issue to be resolved quickly and the charges dropped, as the company had a contract with the state and had completed penetrations tests (also known as pen tests) at other Iowa courthouses. Instead, the charges were simply reduced to criminal trespass. The charges still stand more than two months later.
“The ongoing situation in Iowa is completely ridiculous,” Coalfire CEO Tom McAndrew said in a statement. “… Our mission is to help our clients secure their environments and protect the people that work for them, their customers, and the confidential information they maintain. In this case, we were helping to protect the residents of Iowa.”
Security experts fear that this could have ramifications beyond the state. Pen testing is a common practice, and security firms assume they will be protected by contracts with their clients. As the Coalfire-Iowa incident shows, that might not always be the case. Some fear this will discourage security researchers from testing state and municipal systems, as well as election and voting facilities that may be vulnerable in the 2020 election. At the very least, this is proof that we need a better way to handle cybersecurity vulnerabilities and a reminder of how clueless governments can be.