State court administration, private security firm had “different interpretations” of contract leading to courthouse break-ins

Local News

DES MOINES — The agency overseeing Iowa’s courts says it had a different understanding of the scope of work to be done with a private security firm that resulted in two men suspected of breaking into two different courthouses.

State court administration hired Colorado-based Coalfire to “ensure the court’s highly sensitive data was secured against attack,” according to a new statement from the Iowa Judicial Branch.

The Polk County Sheriff’s Office says 29-year-old Justin Wynn and 43-year-old Gary Demercurio were captured on surveillance footage breaking into the Polk County Courthouse around midnight on September 9.

A small electronic device with the company logo “Coalfire” was found inside the courthouse during the investigation, according to the Polk County Sheriff’s Office.

The two are also believed to have broken into the Dallas County Courthouse the morning of September 11. While no charges have been filed in Polk County, the pair has been charged with Burglary in the Third Degree and Possession of Burglary Tools in Dallas County.

The contract totaling $75,000 released Wednesday spells out what the security company and courts system agreed to in late May.

Scope of Testing between Coalfire and the Iowa Judicial Branch

“The penetration test and corresponding risk assessment will be performed by Coalfire to test the adequacy and effectiveness of security control measures in place to protect the security and integrity of sensitive information technology systems and data,” a Rules of Engagement document dated July 30 reads.

Under the “Physical Attacks” category of Coalfire’s service order, it is noted that “physical attacks may also include targeting your wireless infrastructure to attempt gaining unauthorized and persistent access to the internal network. Physical Penetration Test targets your facilities/buildings/locations.”

The Iowa Judicial Branch had originally said that state court administration “did not intend, or anticipate” any physical efforts of Coalfire to enter central Iowa courthouses.

“Coalfire’s client confidentiality is one of the most important aspects of our business,” the company said in a statement.

Service order for Coalfire spelling out its “Physical Attacks” scope of work

“Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work,” the Iowa Judicial Branch said. “Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement.”

The agreement also stated that requests for testing must be completed within normal business hours, Monday through Friday between 7 a.m. and 7 p.m.

Additional documents concerning Coalfire’s scope of work and service agreement can be found below.

Master Agreement

Requirements and Assumptions

Service Order

Social Engineering Authorization

Rules of Engagement

©TEGNA Inc. 2019. All Rights Reserved.