NYPD officer database had security flaws that could have let hackers covertly modify officer data

A database used to track NYPD officer profiles contained security flaws that would have allowed a skilled-enough hacker to add, remove or modify data entries and insert potentially malicious files into the website’s back-end systems, City & State has learned.

The public-facing database, launched as part of police reforms in the wake of 2020 protests, contains information about active NYPD officers, which includes their disciplinary records, training history, department honors and arrests. In an officer’s disciplinary history, the public can view substantiated allegations of on-the-job misconduct that resulted in charges or discipline, such as an officer using excessive force while making an arrest. A record of NYPD disciplinary trial decisions dating back to 2008 is also available on the public database, with trial records attached and available to download.

The gaps that allowed access to the database’s back-end systems have been at least partly remedied, with NYPD last month walling off access to its developer site where the exploitations could occur. They were discovered by Jason Parker, an independent security researcher who reported the findings to the city and relayed them to City & State.

Parker has previously disclosed lapses in multiple states’ court records systems, as well as a major flaw in a tool used by numerous state and local governments to manage public records requests.

Among several legislative reforms to police accountability passed in response to the 2020 Black Lives Matter protests, New York repealed a state law known as 50-a that shielded police disciplinary records from the public. The following year, this public database went live. The NYPD did not respond to questions about whether the database is used solely for public information, or whether it is also used as an internal resource for logging and tracking officer discipline or training histories.

According to the site’s underlying web code, the database was developed by RockDaisy, a New York-based software firm that sells a flagship sports analytics software that provided the infrastructure for the then-vulnerable website. As City & State finalized reporting for this story, the application housing the foundational code for the site appeared to have been stripped of its features that linked it to the company. 

City & State was unable to pinpoint any evidence of a vendor contract between RockDaisy and New York City. Though RockDaisy shows up in the city’s vendor database, an inquiry to the city’s comptroller’s office did not turn up any signs of a deal or whether a previous deal was terminated. 

RockDaisy did not respond to multiple requests for comment about its relationship with the NYPD and the vulnerabilities identified by Parker. The company did, however, publish a blog post on May 22 disclosing that the company had been alerted to a security vulnerability in its data visualization platform that “may temporarily grant limited access to some of the platform’s administrative functions.” RockDaisy added the vulnerability had been addressed.

An NYPD spokesperson also confirmed to City & State that a security flaw existed in the database’s infrastructure and said that it has now been remedied.

“The NYPD was made aware of a security vulnerability that resulted in unauthorized access to the Officer Profile page. The NYPD immediately addressed this vulnerability,” the spokesperson wrote in an email. “As it was intended, all of the uniform member information contained within the officer profile page is publicly available. At no time was sensitive/confidential data or other NYPD systems in danger of being accessed.” 

Security gaps in public sector IT systems can lead to serious consequences for local governments, schools and civilians, who can be exposed to data breaches and ransom demands following cyberattacks.

New York is hardly immune. The state Legislature’s bill drafting system was hacked this year as lawmakers raced to pass a budget. Suffolk County and the city of Albany have suffered attacks that temporarily disabled access to city services and websites in recent years. And in 2021, a single stolen password allowed a hacker to breach the New York City Law Department’s online network, exposing the fact that the department failed to use multi-factor authentication even though the city requires it, The New York Times reported.

After City & State sent inquiries to City Hall and the NYPD, the city’s Office of Technology and Innovation reached out to highlight a city program that allows well-meaning researchers to flag security flaws, which Parker used to report the vulnerabilities.

“Protecting New York City’s data is a top priority for this administration – which is why NYC Cyber Command established a Vulnerability Disclosure Program in October 2023 that makes it easier to identify and responsibly disclose potential vulnerabilities in city-owned websites and systems,” the office spokesperson said. “We recently learned of a vulnerability affecting an NYPD website and were immediately able to put mitigations in place.”

The NYPD, which itself narrowly thwarted a ransomware attempt in 2019, did not disclose whether it knew how long unauthorized access to the officer profile page in this database was available, or whether any bad actors took advantage of that access to make changes.

Depending on how long the vulnerability was in the open, conducting such an audit would be a formidable undertaking, said Silas Cutler, a security researcher specializing in malware and vulnerability analysis who viewed a demonstration of Parker’s findings.

“It would be very difficult,” he said in an interview, noting the process would involve figuring out when the developer site first went online, followed by auditing login records for users and any changes made to the database.

Cutler said what makes the flaw more complex and severe is that over two dozen NYPD-affiliated websites are hosted on the same domain as the then-exposed profile site, including the department’s popular CompStat dashboard that logs citywide crime occurrences, according to an analysis he performed.

Though the NYPD said their other systems were not in danger of being accessed, Cutler said the exploit was so deeply rooted that, theoretically, a hacker could have had the ability to add or modify databases affiliated with the profile site or other NYPD webpages. He said this could have presented cascading impacts on officer or crime data linked across multiple department platforms. “For an attacker, there’s a long way they could go,” he said.

The particular vulnerability disclosed by Parker began with public-facing access to the site’s back-end developer page, which was visible within the troves of technical web code underpinning the database that a regular person could have accessed using internet browser tools.

From there, unauthorized access to the developer site with administrative privileges was straightforward because the site didn’t properly require user authentication. Once inside, users were granted privileges that allowed them to add, modify or delete officer profile records.

An added dimension also involved a Microsoft Azure storage key made available to administrators, which granted access to a cloud-based storage container where files linked to specific officers can be uploaded, modified or removed. A person with that level of privilege could potentially lace an officer’s profile with malign file attachments or links, or perhaps remove evidence of disciplinary allegations, Parker said in an interview.

“Being able to spread (malware) from what should be a trusted site – nobody would bat an eye at downloading a file from there,” Parker said. 

Cutler, the security researcher, said that the vulnerability was troubling.

“There are very serious structural flaws if someone’s able to walk in quite like this, because it means that everything in terms of the authentication is being handled by the client and not by the server,” said Cutler, referring to the fact that Parker was able to burrow into the database on their own device. “This is the exact type of error that I’m terrified of making.”

Last month, ProPublica reported that the information in the database itself has not been reliable, as the number of discipline cases reported in the database has fluctuated dramatically. On one day, disciplinary records for an officer might appear in the database, on another day they could be gone. 

In one example offered by ProPublica, the database on one day showed no discipline cases against NYPD Chief of Department Jeffrey Maddrey, despite a well-documented incident in 2015 in which he pleaded guilty to interfering in an internal department investigation and engaging in an off-duty physical altercation. When City & State searched for Maddrey’s records on June 26, those charges and the accompanying penalty – docked 45 vacation days – were reflected in the database.

The flaw Parker identified is likely an access control misconfiguration, described by the Open Worldwide Application Security Project as a top vulnerability, where a person entering into a system gains extra unintended permissions that allow them to exert more control over it, according to Ethan Bowen, a former analyst in the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

“The problem is they trust too much of what the client is telling them, and that’s how (Parker) is able to access the admin portal,” said Bowen, who specialized in incident response while in CISA’s Cybersecurity Division. “Yeah, it’s bad.”