And that also for doing what they were supposed to do.
Iowa – a US state – hired a cyber security company called Coalfire in September to perform penetration testing of certain buildings that involved several courthouses.
Doing their duty, two members of the firm, namely Justin Wynn and Gary Demercurio entered the Dallas County, IA courthouse upon finding a door open. Although they had also successfully broken into two other courthouses before by somehow bypassing their security systems, this was different since it was open entry without any effort.
Thereafter, they closed the door and opened it again, hence tripping the alarm system intentionally waiting to draw attention. Soon, law enforcement arrived and led to a normal interaction with the Sheriff’s deputies who cleared them after seeing their credentials.
However, further on, the story took an ironic twist. The Sherrif arrived and decided to charge the two employees on accounts of burglary making them spend a night in jail.
The next day, their company had to bail them out. Now, you’d expect that later on everything would be sorted out in light of their contracts explicitly declaring how the State’s judiciary hired them to do the job of breaking in.
However, it turns out that the duo is still facing charges which set a dangerous example that might deter other firms and employees in the industry from taking up such work so easily.
The reason that seems to be behind this mess can be the suspected miscommunication or thereof its lack of between the State who hired the firm and the county which is responsible for security. Moreover, Coalfire and the State’s administration may have had “different interpretations of the scope of the agreement.”
Currently, though, the charges have been reduced to criminal trespass but it remains a concern nonetheless. Heads have shaken across the industry in light of this with the cyber security industry in dismay. This is also thanks to the Sherrif who is believed to have arrested the employees on political motives as deduced from an email he sent stating that,
“This building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in.”
Since the authorities and media love to splash the mugshots of the consultants everywhere they can, here's the Sheriff (Chad Leonard) and the County Attorney (Chuck Sinnard) who are responsible for this ridiculous abuse of power. #StandwithCoalfire pic.twitter.com/Ys0yzZ1lv5— Alyssa Miller 👑 Duchess of Hackington (@AlyssaM_InfoSec) November 14, 2019
For the future, we can expect both sides negotiating and working on this together as Coalfire in a press release in September stated,
…the Iowa Judicial Branch and Coalfire will each conduct independent reviews and release the contractual documents executed between both parties.
Regardless of this, let’s leave it here to figure out who’ll dare to take up the State’s next cyber security project.