Lawmakers have asked the Federal Trade Commission to investigate Flock Safety, a company that operates license plate scanning cameras, for allegedly failing to implement cybersecurity protections that expose its camera network to hackers and spies.
In a letter sent by Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL, 8th), the lawmakers are urging FTC Chairman Andrew Ferguson to investigate why Flock does not enforce the use of multi-factor authentication (MFA), a security protection that prevents malicious access by someone who knows the account password.
Wyden and Krishnamoorthi said that while the company offers law enforcement customers the ability to enable MFA, “Flock does not require it, which the company confirmed to Congress in October,” according to the letter.
Wyden and Krishnamoorthi said that if hackers or foreign spies learn a law enforcement user’s password, “they can access law enforcement-only areas of Flock’s website and search billions of license plate photos of Americans collected by taxpayer-funded cameras across the country.”
Flock operates one of the largest networks of cameras and license plate readers in the US, providing access to more than 5,000 police departments, as well as private businesses, across the country. Flock’s cameras scan the license plates of passing vehicles, so police and federal agencies logged into the Flock platform can search the billions of photos taken and track where vehicles have traveled at any given time.
Lawmakers said they found evidence that some of Flock’s customer logins had been stolen and shared in the past, citing data from Hudson Rock, a cybersecurity firm that tracks usernames and passwords stolen by information-stealing malware.
Independent security researcher Ben Jordan also provided lawmakers with a screenshot showing a Russian cybercrime forum allegedly selling access to Flock credentials.
When reached by TechCrunch for comment, Flock shared the company’s response to a letter from its chief legal officer Dan Haley, in which he says the company has enabled MFA by default for all new customers starting in November 2024 and that 97% of law enforcement customers have enabled MFA to date.
That leaves about 3 percent of the company’s customers — possibly dozens of law enforcement agencies — that have declined to enable MFA, citing “reasons specific to them,” Haley wrote.
Holly Beilin, a Flock spokeswoman, did not immediately provide a specific number of law enforcement customers who have not yet enabled MFA, whether federal agencies are among the remaining customers, or why Flock does not require its customers to enable the security feature.
404 Media previously mentioned that the US Drug Enforcement Administration used a local police officer’s password to access Flock’s cameras to search for a person suspected of an “immigration violation,” but without the officer’s knowledge. The Palos Heights Police Department said it activated multi-factor authentication after the breach.
