Concerns rise as Flock’s license plate camera network reportedly exposes sensitive law enforcement data due to weak security practices
Lawmakers Demand Action on Flock Safety’s Security Flaws
Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL) have called on the Federal Trade Commission (FTC) to investigate Flock Safety for alleged cybersecurity failures. Their main concern: the company’s lack of mandatory multi-factor authentication (MFA) for user logins, which potentially exposes sensitive data to hackers and foreign spies.
- In a formal letter to FTC Chairman Andrew Ferguson, the lawmakers criticized Flock for not requiring MFA, a basic security layer that can block unauthorized access even when a password is compromised.
- Flock confirmed to Congress in October that MFA is optional, not enforced, for law enforcement clients.
Potential National Security Risk
Flock Safety operates one of the largest surveillance networks in the U.S., supplying license plate-reading cameras to over 5,000 police departments and private businesses. These cameras collect billions of vehicle images, allowing users to track vehicle movements.
- If a law enforcement user’s password is stolen, intruders could access sensitive data on Flock’s platform without detection.
- Wyden and Krishnamoorthi warned that this creates a serious vulnerability, especially since the network is funded by taxpayers.
Evidence of Compromised Credentials
The lawmakers cited compelling evidence of security breaches involving Flock’s systems:
- Cybersecurity firm Hudson Rock uncovered stolen law enforcement logins tied to Flock accounts, allegedly compromised through info-stealing malware.
- Independent researcher Benn Jordan presented screenshots of a Russian cybercrime forum offering Flock login credentials for sale.
Flock’s Response: Partial Measures
In response, Flock shared a letter from its Chief Legal Officer, Dan Haley, stating that:
- As of November 2024, MFA is enabled by default for new customers.
- Currently, 97% of law enforcement clients have MFA switched on.
Still, this leaves about 3% — potentially dozens of agencies — operating without this security protection.
- Haley said those agencies cited specific reasons for declining MFA but did not elaborate.
- Flock spokesperson Holly Beilin declined to clarify how many agencies still lack MFA or whether federal agencies are among them.
Past Incident Shows Systemic Issues
A notable prior breach underscores the risk:
- In a case reported by 404 Media, the U.S. Drug Enforcement Administration (DEA) accessed Flock data by using a local police officer’s login — without that officer’s knowledge — to pursue an immigration case.
- Following the breach, the Palos Heights Police Department enabled MFA on its account.
Lawmakers are urging the FTC to investigate Flock Safety over its optional multi-factor authentication policy, raising concerns about surveillance data vulnerabilities. Despite some improvements, gaps remain that could expose sensitive law enforcement data to hackers and foreign actors.
