Flock Camera System Breach: Policy Compliance, Hard‑Coding Pitfalls, and the 2FA Mandate
Police and Law Enforcement Usage Best Practices.
A recent controversy around the Flock Safety camera ecosystem, widely used for automated license plate recognition (ALPR) offers a clear lesson: policy controls only protect you if they’re actually turned on. In November 2025, lawmakers urged the U.S. Federal Trade Commission to investigate Flock Safety after evidence surfaced that stolen police credentials were being traded online, potentially granting unauthorized access to law‑enforcement‑only areas of Flock’s platform and “billions of photos” collected by taxpayer‑funded cameras. Flock confirmed to Congress that while it offers multi‑factor authentication (MFA), it does not universally require it; the company says 97% of law‑enforcement customers have enabled MFA, leaving about 3% which is potentially dozens of agencies without the added protection[1].
This dispute unfolded just months after CJIS Security Policy updates took effect. Beginning October 1, 2024, the FBI’s CJIS framework mandates MFA for all entities accessing Criminal Justice Information (CJI), whether the access occurs remotely or inside a secure facility this reflects a broad push to counter credential theft and phishing. NIST’s 2025 IR 8523 emphasizes MFA’s central role in CJIS compliance and outlines acceptable factors and assurance levels[2].
What went wrong and why it matters
From the facts available, the core weakness wasn’t an exotic exploit; it was basic account security. If agencies did not activate MFA, a single stolen password could open the door to sensitive search capabilities across a vast ALPR network. Lawmakers cited evidence of police logins stolen by information‑stealing malware and even allegedly sold in cybercrime forums which is precisely the scenarios MFA is designed to blunt.
To Flock’s credit, the company reported MFA‑by‑default for all new customers as of November 2024 and highlights broader CJIS alignment, even touting an external CJIS ACE compliance seal earned with a third party in December 2024. But “available” controls are not the same as enforced controls; leaving MFA optional enables uneven risk across agencies[3].
“DLI, Learn More” about classification and policies
Agencies should formalize a data classification scheme that maps directly to policy controls. This is a “learn more” imperative that moves beyond checklists. Under CJIS, CJI must be protected across its full lifecycle (creation, storage, transmission, and disposal). Policies should classify data (e.g., CJI, operational logs, administrative metadata) and tie each class to controls like identification & authentication, encryption, audit logging, and incident response. The FBI’s CJIS Security Policy (v6.0, Dec. 27, 2024) underscores modular, updatable requirements, enabling agencies to adopt stricter local rules where needed. In practice: if a system touches CJI, then MFA is mandatory, encryption in transit and at rest should be standard, and access should be recorded with tamper‑evident logs[4].
Hard‑coding: a silent policy bypass
Separate from account hygiene, hard‑coded credentials (passwords, API keys, tokens embedded in code or firmware) represent a policy bypass: they are invisible to rotation schedules, frequently exposed in repositories, and often shared across environments. While much of the public reporting about the Flock case centers on stolen user credentials and optional MFA, the broader lesson still applies, hard‑coding drastically increases blast radius and undermines CJIS’s principle of least privilege and strong identification. NIST IR 8523 and vendor guidance repeatedly warn that credential theft and reuse are dominant vectors; hard‑coding amplifies those risks.
Rapid fixes are good; proactive enforcement is better
Flock stated it enabled MFA by default for new customers and moved quickly to remediate exposure concerns. That’s a positive step. But policy enforcement must be systemic: agencies should configure mandatory MFA for all privileged and non‑privileged accounts; vendors should technically require MFA for platforms that process CJI, especially where integrations expose investigative search at national scale. A “default‑on, non‑bypassable” posture reduces variance between agencies and closes gaps that adversaries exploit.
Police Agency MFA Activation Checklist (Flock & other CJI systems)
Inventory & scope
Identify all users, service accounts, and integrations that can access CJI, including mobile devices, shared kiosks, VPN, and web portals. Map these to Policy Area 6 (Identification & Authentication).Select phishing‑resistant factors
Prefer hardware security keys, smart cards, or certified mobile authenticators (AAL2‑capable). Avoid SMS codes for CJI access.Make MFA mandatory (not optional)
Configure platform policies so MFA cannot be bypassed for any account type. Where possible, enforce conditional access and step‑up auth for sensitive queries.Eliminate hard‑coded secrets
Replace embedded credentials with vaulted secrets, short‑lived tokens, and automated rotation. Add static analysis to CI/CD to flag secrets before deployment.Harden lifecycle controls
Enable audit logging, alerting on anomalous access, and periodic access reviews. Validate encryption in transit/at rest for data classes touching CJI. Align with CJIS v6.0 lifecycle requirements.Train and test
Provide phishing‑resistance training for sworn and professional staff. Run tabletop exercises and red‑team checks to verify MFA enforcement and incident response.
[1] Whittaker, Z. (2025) Lawmakers say stolen police logins are exposing Flock surveillance cameras to hackers. Retrieved from https://techcrunch.com/2025/11/03/lawmakers-say-stolen-police-logins-are-exposing-flock-surveillance-cameras-to-hackers/
[2] NIST (2025) Multi-Factor Authentication for Criminal Justice Information Systems: NIST IR 8523 Retrieved from https://csrc.nist.gov/News/2025/mfa-for-cjis-nist-ir-8523
[3] Global Newswire (2024) Flock Safety Announces Full Compliance with FBI’s Newly-Released Criminal Justice Information Services (CJIS) Policy Update Retrieved from https://www.globenewswire.com/news-release/2024/12/19/3000204/0/en/Flock-Safety-Announces-Full-Compliance-with-FBI-s-Newly-Released-Criminal-Justice-Information-Services-CJIS-Policy-Update.html
[4] FBI (2024) Criminal Justice Information Services (CJIS) Security Policy. Retrieved from https://le.fbi.gov/file-repository/cjis_security_policy_v6-0_20241227.pdf