Lawmakers have called on the Federal Trade Commission to investigate Flock Safety, a company that operates license plate scanning cameras, for allegedly failing to implement cybersecurity protections that expose its camera network to hackers and spies.
In a letter sent by Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL, 8th), the lawmakers urge FTC Chairman Andrew Ferguson to probe why Flock does not enforce the use of multi-factor authentication (MFA), a security protection that prevents malicious access by someone with knowledge of the account holder’s password.
Wyden and Krishnamoorthi said that while the company offers its law enforcement customers the ability to enable MFA, “Flock does not require it, which the company confirmed to Congress in October,” according to the letter.
Wyden and Krishnamoorthi said that if hackers or foreign spies learn of a law enforcement user’s password, “they can gain access to law-enforcement-only areas of Flock’s website and search the billions of photos of Americans’ license plates collected by taxpayer-funded cameras across the country.”
Flock operates one of the largest networks of cameras and license plate readers in the U.S., providing access to more than 5,000 police departments, as well as private businesses, across the country. Flock’s cameras scan the license plates of passing vehicles so that police and federal agencies with logins to Flock’s platform can search the billions of captured photos and track where vehicles have traveled at any given time.
The lawmakers said that they had found evidence that some of Flock’s law enforcement customers’ logins had been previously stolen and shared online, citing data from Hudson Rock, a cybersecurity company that identifies usernames and passwords stolen by information-stealing malware.
Independent security researcher Benn Jordan also provided the lawmakers with a screenshot showing a Russian cybercrime forum allegedly selling access to Flock logins.
When reached by TechCrunch for comment, Flock shared the company’s response in a letter from its chief legal officer Dan Haley, in which he says the company switched on MFA by default for all new customers starting in November 2024, and that 97% of its law enforcement customers have enabled MFA to date.
That leaves around 3% of the company’s customers — potentially dozens of law enforcement agencies — that have declined to switch on MFA, citing “reasons specific to them,” Haley wrote.
Holly Beilin, a spokesperson for Flock, did not immediately provide a specific number of law enforcement customers that have not yet switched on MFA, say if any federal agencies are among the remaining customers, or for what reason Flock does not require its customers to switch on the security feature.
404 Media previously reported that the U.S. Drug Enforcement Administration used a local police officer’s password to access Flock’s cameras to search for an individual suspected of an “immigration violation,” but without the officer’s knowledge. The Palos Heights Police Department said it switched on multi-factor authentication following the breach.
