State Paid Hackers To Break Into A Courthouse & Then Arrested Them For It
Adel, IA — In 2019, Gary DeMercurio and Justin Wynn were employed by the cybersecurity firm Coalfire when Iowa’s state judicial branch hired them to break into courthouses across the state. They were told that this was entirely legal and that they would not go to jail if they were somehow caught. However, when they broke into the Dallas County Courthouse, they quickly learned that wasn’t the truth.
DeMercurio and Wynn have since filed a lawsuit after they were arrested and charged with felony burglary for doing exactly what the government wanted them to do. They were tasked by the state to conduct “cybersecurity testing activities, including physical penetration” on five different buildings, according to the lawsuit.
On September 10, 2019, the pair were testing the security at the Dallas County Courthouse, conducting a series of “physical attacks,” like picking locks and attempting to gain entry into the building. As Wynn and DeMercurio successfully broke in, they tripped a motion alarm inside triggering a response from the local sheriff’s department.
To prevent their arrest, the pair was carrying literal “get out of jail free” letter which stated their purpose for being there and which told authorities not to arrest them. However, “when [Sheriff Chad] Leonard arrived, the situation changed,” according to the lawsuit.
When police walked in, the pair did not run and instead attempted to calmly explain to responding officers why they were there, showing them the authorization letter which allegedly gave them permission to be there.
Though the first officers on the scene believed them, Sheriff Leonard wasn’t having it. Instead of abiding by the agreement letter carried by the duo, the sheriff arrested them.
“Leonard refused to recognize the authority of the Iowa Judicial Branch to permit plaintiffs to perform testing on the Dallas County Courthouse,” the complaint states. “Leonard ordered his deputies to arrest both plaintiffs.”
Both mean were arrested and thrown in jail. They spent about 20 hours in jail before making bail. It would then take nearly five months for DeMercurio and Wynn to have their charges dropped.
Although the charges were eventually dropped, according to the lawsuit, having a felony arrest on their records presents a significant obstacle, according to their attorney Marty Diaz.
“It clearly has hampered their ability to consider if they were interested in going someplace else to work. That creates a problem,” Diaz said. “It has a significant impact on the value of their service.”
The lawsuit seeks unspecified damages for claims including false arrest, defamation and malicious prosecution, as well as several constitutional claims.
When presented with the lawsuit, sheriff Leonard stood by his decision to arrest the two men.
“We deny the claims made in the petition and stand ready to defend ourselves in court,” he said in an email.
Wynn and DeMercurio are also considering a lawsuit against the Iowa Judicial Branch who put them into harm’s way by failing to properly alert authorities to the nature of the security test.
“It got into an argument between the sheriff’s office and the Iowa Judicial Branch, and it became a territorial dispute between the two of them, and all of the sudden the state started backing down,” Diaz said. “That, of course, put my clients in a position where it starts to look like they did something wrong, which they didn’t. That’s where any potential exposure on the part of the state exists.”
“It’s like two people fighting over somebody, and that somebody’s getting stomped on,” he added. “That’s exactly what happened to my clients. They become the scapegoats.”
According to the Des Moines Register, their arrest and subsequent charges drew outrage from state legislators, who accused judicial officials of hiring a private company to commit crimes.
“In our efforts to fulfill our duty to protect confidential information of Iowans from cyberattacks, mistakes were made,” then-Chief Justice Mark Cady told legislators. “We are doing everything possible to correct those mistakes, be accountable for the mistakes and to make sure they never, ever occur again.”
Article posted with permission from Matt Agorist