After Six Years, Two Pentesters Arrested in Iowa Receive $600,000 Settlement
11 66"They were crouched down like turkeys peeking over the balcony," the county sheriff told Ars Technica. A half hour past midnight, they were skulking through a courthouse in Iowa's Dallas County on September 11 "carrying backpacks that remind me and several other deputies of maybe the pressure cooker bombs." More deputies arrived... Justin Wynn, 29 of Naples, Florida, and Gary De Mercurio, 43 of Seattle, slowly proceeded down the stairs with hands raised. They then presented the deputies with a letter that explained the intruders weren't criminals but rather penetration testers who had been hired by Iowa's State Court Administration to test the security of its court information system. After calling one or more of the state court officials listed in the letter, the deputies were satisfied the men were authorized to be in the building.
But Sheriff Chad Leonard had the men arrested on felony third-degree burglary charges (later reduced to misdemeanor trespassing charges). He told them that while the state government may have wanted to test security, "The State of Iowa has no authority to allow you to break into a county building. You're going to jail."
More than six years later, the Des Moines Register reports: Dallas County is paying $600,000 to two men who sued after they were arrested in 2019 while testing courthouse security for Iowa's Judicial Branch, their lawyer says.
Gary DeMercurio and Justin Wynn were arrested Sept. 11, 2019, after breaking into the Dallas County Courthouse. They spent about 20 hours in jail and were charged with burglary and possession of burglary tools, though the charges were later dropped. The men were employees of Colorado-based cybersecurity firm Coalfire Labs, with whom state judicial officials had contracted to perform an analysis of the state court system's security. Judicial officials apologized and faced legislative scrutiny for how they had conducted the security test.
But even though the burglary charges against DeMercurio and Wynn were dropped, their attorney previously said having a felony arrest on their records made seeking employment difficult. Now the two men are to receive a total of $600,000 as a settlement for their lawsuit, which has been transferred between state and federal courts since they first filed it in July 2021 in Dallas County. The case had been scheduled to go to trial Monday, Jan. 26 until the parties notified the court Jan. 23 of the impending deal...
"The settlement confirms what we have said from the beginning: our work was authorized, professional, and done in the public interest," DeMercurio said in a statement. "What happened to us never should have happened. Being arrested for doing the job we were hired to do turned our lives upside down and damaged reputations we spent years building...."
"This incident didn't make anyone safer," Wynn said. "It sent a chilling message to security professionals nationwide that helping government identify real vulnerabilities can lead to arrest, prosecution, and public disgrace. That undermines public safety, not enhances it."
County Attorney Matt Schultz said dismissing the charges was the decision of his predecessor, according to the newspaper, and that he believed the sheriff did nothing wrong.
"I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law."
11 comments
Prosecute what? (Score: 5, Interesting)
by balaam's ass ( 678743 ) on Sunday February 08, 2026 @02:38PM (#65976354)
He will "prosecute to the fullest extent of the law" legal, authorized pentesting?? How's that going to work?
Re:Prosecute what? (Score: 5, Insightful)
by syn3rg ( 530741 ) on Monday February 09, 2026 @08:12AM (#65977372)
Considering everything they went through, the settlement appears to be missing at least one zero.
Re: Prosecute what? (Score: 5, Informative)
by YetanotherUID ( 4004939 ) on Sunday February 08, 2026 @02:53PM (#65976384)
Not to mention, the Sheriff (and, for that matter, the new proesecutor) doesn't seem to realize that counties are subagencies of the state they are in, and the state government absolutely does have the power to authorize access to the county's buildings.
It doesn't work the way the federal/state distinction does, where each level of governmeent derives its power from a different source. Counties have -only- the authority explicitly delegated to them by the states they are part of.
Of course, State and Local Government is mysftifyingly one of the least popular elective courses taught at most law schools, let alone criminal justice programs, so no big surprise there.
Re: Prosecute what? (Score: 5, Informative)
by Kernel Kurtz ( 182424 ) on Sunday February 08, 2026 @03:10PM (#65976416)
I am putting the public on notice that if this situation arises again in the future, I will prosecute to the fullest extent of the law.
And it will, but next time it will be real hackers, since you are clueless about security.
Re: Prosecute what? (Score: 5, Interesting)
by TWX ( 665546 ) on Sunday February 08, 2026 @03:36PM (#65976442)
And it's actually more straightforward with courts. The systems for courts are regulated at the state level, even for county and municipal courts, at least in my state. That means pretty strict compliance with state-level rules and regulations and authorization by state-level officials for things like auditing and inspection. If a lower court fails to comply, that state entity can compel that lower level jurisdiction to install an entirely segregated computer network entirely air-gapped to the local entity's LAN, meaning that court employees would have to shuttle data between their local org's PC and the court PC, with the court PC connected to a court access switch and court firewalling router with a court private network link back to state resources. And historically they've been very behind the times, still using friggin' T1 lines in the 2020s, where 1.544Mb will cost as much as a 10Gb metro ethernet circuit.
State courts allow local entities to have court PCs that can be on the local org's network with connectivity back to court resources without that special air-gapped network only if the local org accepts auditing and building that connection out to specifications. Pen testing is not an unreasonable thing to do, and if it's too easy to break into the building to gain access to PCs or network equipment and too easy to get onto the court's network then there's going to be a problem.
Re:Prosecute what? (Score: 5, Insightful)
by devnulljapan ( 316200 ) on Sunday February 08, 2026 @02:58PM (#65976398)
Current administration policy seems to be shoot first ... I was going to say ask questions later, but not really. More along the lines of postmortem character assassination to justify excessive force.
Re:Prosecute what? (Score: 5, Informative)
by coopertempleclause ( 7262286 ) on Sunday February 08, 2026 @03:06PM (#65976410)
Worth noting that Sheriff is an elected position and has no obligation to even know the law, as Republican Chad Leonard definitely proved he didn't.
Re:Prosecute what? (Score: 5, Interesting)
by taustin ( 171655 ) on Sunday February 08, 2026 @07:43PM (#65976716)
Why in the holy fuck is a judicial position at all an elected one?
A) Sheriff isn't a judicial position, it's an executive position.
B) The county I lived in during high school in Missouri had an elected sheriff who was a convicted felon. He was allowed to be sheriff, even though he wasn't allowed to carry a gun. (Very inbred area, he was literally related to enough of the voters to vote him into office in hopes that having a steady income would keep him from more hog rustling.)
It worked about as well as it sounds.
This story again? But sheriff is still a moron (Score: 5, Informative)
by haruchai ( 17472 ) on Sunday February 08, 2026 @03:06PM (#65976412)
original /. post - https://it.slashdot.org/story/... [slashdot.org]
Re:jobs should not be allowed to look at arrest on (Score: 5, Insightful)
by markdavis ( 642305 ) on Sunday February 08, 2026 @10:54PM (#65976920)
I came to post the same thing:
>" their attorney previously said having a felony arrest on their records made seeking employment difficult."
How is it that anyone should be allowed to see an ARREST record. You are presumed innocent and if found not guilty.... ESPECIALLY if the charges were dismissed... that should have no impact on your life. And if that kind of information can't be secured properly, then it should be permanently DELETED.
County Attorney Matt Schultz real statement (Score: 5, Insightful)
by jsepeta ( 412566 ) on Sunday February 08, 2026 @11:38PM (#65976980)
County Attorney Matt Schultz: "I refuse to learn any lesson from the false arrest and imprisonment of security professionals hired by the state of Iowa because I'm a shithead."