County pays $600,000 to pentesters it arrested for assessing courthouse security
Summary
A county has agreed to pay $600,000 to two penetration testers who were arrested six years ago while assessing the security of a courthouse. The pentesters, Gary DeMercurio and Justin Wynn, were hired to perform the assessment but were mistaken for criminals and subsequently arrested. The settlement concludes a long legal battle following the incident.
IFF Assessment
This incident highlights the potential legal and professional risks associated with penetration testing, even when contracted legitimately, making it more challenging for defenders to assess and improve security.
Severity
Defender Context
This case illustrates the importance of clear communication and legal safeguards when hiring external security consultants. Defenders need to ensure that contracts explicitly outline the scope of work and provide legal protection for testers, and that local law enforcement is properly informed of ongoing authorized activity. Such incidents can discourage legitimate security testing and hinder overall security posture improvements.