Security expert arrested for lock picking with permission wins 90 million yen settlement

In 2019, two security experts who had received permission from the Iowa State Judicial System to conduct a security breach exercise were arrested for theft and trespassing after attempting to break into the Dallas County Courthouse in Iowa. The two sued Dallas County, claiming they were accused of criminal activity despite performing work recognized as serving the public interest. After a six-year trial, the two were awarded a $600,000 settlement.

County pays $600,000 to pentesters it arrested for assessing courthouse security - Ars Technica

https://arstechnica.com/security/2026/01/county-pays-600000-to-pentesters-it-arrested-for-assessing-courthouse-security/

Gary DeMercurio and Justin Wynn, penetration testers working for Colorado-based security firm Coalfire Labs, received written permission from an Iowa law enforcement agency to conduct a 'red team' exercise. A red team exercise is an attempted security breach that mimics techniques used by criminals and thieves, with the aim of testing the resilience of existing defense systems by attempting a real intrusion. The rules allowed for red team exercises to involve physical attacks on law enforcement buildings, including lock-picking, as long as no significant damage was caused.

The two testers discovered a side door of the courthouse open just after midnight in September 2019, so they closed the door and activated the auto-lock. They then inserted a simple tool through the gap in the door to unlock it and entered the building, demonstrating that it is possible to break into a locked building using a break-in tool. After breaking in, the testers sounded an alarm to alert authorities.

A few minutes later, a deputy arrived and showed the testers their red team exercise permit. The deputy confirmed that the permit was genuine, but when Dallas County Sheriff Chad Leonard arrived, he stated that the Dallas County Courthouse is within his jurisdiction and does not authorize such an intrusion, and he arrested the two testers.

The two men presented legal justification for their work and legal contracts to confirm it, but were arrested for third-degree theft (a felony) and released on $50,000 bail after 20 hours in custody. The charges were later reduced to a lesser charge of trespassing, but Sheriff Leonard continued to insist that the men were breaking the law and should be severely punished.

'This sends a frightening message to security professionals across the country that helping identify security issues for the government could lead to arrest, prosecution and social disgrace. This undermines rather than enhances public safety,' said Wynn, one of the testers.

After their arrest, DeMercurio and Wynn filed a lawsuit against Dallas County and Sheriff Leonard alleging false arrest, abuse of process, defamation, intentional infliction of emotional distress, and malicious prosecution. The lawsuit dragged on for several years, but in January 2026, Dallas County officials agreed to pay $600,000 (approximately 90 million yen) to settle the case.

'The settlement confirms what we have maintained from the beginning: that our work was licensed, professional, and performed in the public interest. What happened to us was unthinkable: we were arrested for the work we were hired to do, our lives were changed forever, and our reputations, which we had built over the years, were tarnished,' DeMercurio said in a statement.