Iowa state court officials contracted with Coalfire to conduct “penetration tests” on its security; as part of those tests, two Coalfire employees broke-and-entered the Adel, Iowa courthouse, and were caught by law-enforcement, whose bosses in Dallas County were not notified of the test.
The state has apologized to the county, but the two Coalfire employees were still in jail as of this writing.
As Sean Gallagher points out at Ars Technica, penetration testers often have broadly defined scopes of work for their engagements, and this highlights the risk of a brief that essentially goes, “Just do what it takes to figure out if criminals could compromise our security.”
State court administration (SCA) is aware of the arrests made at the Dallas County Courthouse early in the morning on September 11, 2019. The two men arrested work for a company hired by SCA to test the security of the court’s electronic records. The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building. SCA apologizes to the Dallas County Board of Supervisors and law enforcement and will fully cooperate with the Dallas County Sheriff’s Office and Dallas County Attorney as they pursue this investigation. Protecting the personal information contained in court documents is of paramount importance to SCA and the penetration test is one of many measures used to ensure electronic court documents are secure.