Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Lawmakers have called on the Federal Trade Commission to investigate Flock Safety, a company that operates license plate scanning cameras, for allegedly failing to implement cybersecurity safeguards that exposed its camera network to hackers and spies.
In a letter Sen. Led by Ron Wyden (D-OR) and Rep. Raja Krishnamurthy (D-IL, 8th), the lawmakers urged FTC Chairman Andrew Ferguson to investigate why Flock does not enforce its use of Multi-factor authentication (MFA), a security protection that prevents malicious access by someone with knowledge of the account holder’s password.
While Wyden and Krishnamurthy said the company provides its law enforcement customers with the ability to enable MFA, “Flock does not require it, which the company confirmed to Congress in October,” according to the letter.
Wyden and Krishnamurthy said that if hackers or foreign spies knew law enforcement users’ passwords, “they could gain access to law-enforcement-only areas of Flock’s website and search billions of photos of Americans’ license plates collected by taxpayer-funded cameras across the country.”
Flock operates one of the largest networks of cameras and license plate readers in the United States, providing access to more than 5,000 police departments across the country, as well as private businesses. Flock’s cameras scan the license plates of passing vehicles so police and federal agencies with logins to Flock’s platform can search billions of captured photos and track where vehicles have traveled at any given time.
Lawmakers said they found evidence that some of Flock’s law enforcement customers’ logins had been stolen and shared online, citing data from Hudson’s Rock, a cybersecurity company that identified stolen usernames and passwords. Data stealing malware.
Independent security researcher Ben Jordan also provided lawmakers with a screenshot showing a Russian cybercrime forum allegedly selling access to Flock logins.
Reached by TechCrunch for comment, Flock shared the company’s response in a letter from its chief legal officer, Dan Haley, in which he said the company has enabled MFA by default for all new customers starting in November 2024 and that 97% of its law enforcement customers have enabled MFA to date.
That leaves about 3% of the company’s customers — potentially dozens of law enforcement agencies — who have declined to turn on MFA, citing “reasons specific to them,” Haley wrote.
Holly Beilein, a spokeswoman for Flock, did not immediately provide a specific number of law enforcement customers who have not yet turned on MFA, say whether any federal agencies are among the remaining customers, or why Flock’s customers are not required to turn on the security feature.
404 media As previously reported that the US Drug Enforcement Administration used a local police officer’s password to access Flock’s camera to search for a suspect of “immigration violations,” but without the officer’s knowledge. The Palos Heights Police Department said it introduced multi-factor authentication after the breach.
