Lawmakers have called on the Federal Trade Commission to investigate FlockSafety, a company that operates license plate scanning cameras. They allege the company failed to implement cybersecurity protections, leaving its camera network exposed to hackers and spies.
In a letter sent by Senator Ron Wyden and Representative Raja Krishnamoorthi, the lawmakers urge FTC Chairman Andrew Ferguson to probe why Flock does not enforce the use of multi-factor authentication. This security protection prevents malicious access by someone who knows an account holder’s password. The lawmakers stated that while the company offers its law enforcement customers the ability to enable multi-factor authentication, Flock does not require it, a fact the company confirmed to Congress in October.
Wyden and Krishnamoorthi warned that if hackers or foreign spies learn a law enforcement user’s password, they could gain access to law-enforcement-only areas of Flock’s website. This would allow them to search the billions of photos of Americans’ license plates collected by taxpayer-funded cameras across the country.
Flock operates one of the largest networks of cameras and license plate readers in the United States. It provides access to more than 5,000 police departments, as well as private businesses. Flock’s cameras scan the license plates of passing vehicles so that police and federal agencies with logins can search the billions of captured photos and track where vehicles have traveled at any given time.
The lawmakers said they found evidence that some law enforcement customer logins had been previously stolen and shared online, citing data from cybersecurity company Hudson Rock. An independent security researcher also provided the lawmakers with a screenshot showing a Russian cybercrime forum allegedly selling access to Flock logins.
When asked for comment, Flock shared a response from its chief legal officer, Dan Haley. He stated the company switched on multi-factor authentication by default for all new customers starting in November 2024, and that 97 percent of its law enforcement customers have enabled it to date.
That leaves around 3 percent of the company’s customers, potentially dozens of law enforcement agencies, that have declined to switch on multi-factor authentication. Haley wrote that these agencies had reasons specific to them. A spokesperson for Flock did not immediately provide the specific number of law enforcement customers without multi-factor authentication, confirm if any federal agencies are among them, or explain why the company does not require the security feature.
A previous report indicated that the United States Drug Enforcement Administration used a local police officer’s password to access Flock’s cameras to search for an individual suspected of an immigration violation, without the officer’s knowledge. The police department involved said it switched on multi-factor authentication following that breach.