Concerns are growing in Washington over the cybersecurity practices of Flock Safety, a company that manages one of the largest license plate surveillance networks in the United States. Two lawmakers are pressing the Federal Trade Commission (FTC) to investigate the company for allegedly failing to protect sensitive data collected from its vast network of cameras.
In a recent letter to FTC chairman Andrew Ferguson, Senator Ron Wyden (D-OR) and Representative Raja Krishnamoorthi (D-IL) demanded an inquiry into Flock Safety’s apparent lack of mandatory multi-factor authentication (MFA) — a key security measure that prevents unauthorized users from accessing accounts even if passwords are compromised.
According to the letter, while Flock provides the option to activate MFA, it does not make the feature compulsory. The lawmakers warned that this decision could allow hackers or foreign spies to gain access to restricted areas of the company’s system. Such access would expose “billions of license plate photos” gathered from publicly funded cameras nationwide.
Flock’s technology is widely used, serving more than 5,000 police departments and private organizations across the U.S. Its cameras continuously scan and record vehicle license plates, enabling law enforcement and government agencies to search and trace vehicle movements in real time.
The letter also highlights troubling evidence suggesting that some law enforcement credentials tied to Flock’s system have already been compromised. A cybersecurity firm, Hudson Rock, found that certain login details were circulating online after being stolen by malware. Additionally, an independent researcher, Benn Jordan, shared screenshots showing a Russian cybercrime forum advertising access to stolen Flock accounts.
In response, Flock’s chief legal officer, Dan Haley, stated that as of November 2024, the company began enabling MFA by default for all new users. He added that 97% of existing law enforcement clients have now activated the feature. However, roughly 3% of agencies—potentially dozens nationwide—have not, citing “specific operational reasons.”
A company spokesperson declined to confirm how many of these remaining users were federal agencies or why they opted out of MFA.
Adding to the controversy, a past report revealed that the Drug Enforcement Administration (DEA) once accessed Flock’s database using the credentials of a local police officer—without the officer’s consent—to investigate an immigration case. The department involved has since enforced MFA to prevent similar incidents.
