Lawmakers are urging the Federal Trade Commission (FTC) to investigate Flock Safety, the Atlanta-based company behind one of America’s largest license plate surveillance networks, for allegedly neglecting basic cybersecurity safeguards that could allow hackers or foreign spies to access sensitive law enforcement data.
In a joint letter, Senator Ron Wyden (D-OR) and Representative Raja Krishnamoorthi (D-IL) called on FTC chair Andrew Ferguson to examine why Flock has not made multi-factor authentication (MFA) mandatory for its law enforcement users. MFA adds a crucial layer of protection that prevents unauthorized access, even if an account password is compromised.
The lawmakers said that while Flock offers MFA, the company confirmed to Congress that it does not require it, a policy that “puts billions of Americans’ license plate scans at risk.” Without MFA, any hacker with a stolen password could reportedly gain access to law enforcement-only areas of the Flock platform and search through billions of taxpayer-funded camera captures tracking vehicle movements nationwide.
Flock Safety operates a massive surveillance network, providing camera and license plate reader access to more than 5,000 police departments and private entities across the U.S. Its cameras record vehicle movements in real time, creating a searchable database used by police and federal agencies to track locations, investigate crimes, or, in some controversial cases, conduct immigration-related searches.
Wyden and Krishnamoorthi cited data from cybersecurity firm Hudson Rock showing that some Flock law enforcement accounts had already been compromised and their credentials shared online. Independent security researcher Benn Jordan reportedly found a Russian cybercrime forum advertising access to stolen Flock logins, further evidence, the lawmakers say, of Flock’s weak security enforcement.
Flock’s chief legal officer, Dan Haley, responded in a letter stating that the company enabled MFA by default for all new customers starting November 2024. He added that 97% of Flock’s law enforcement partners have now activated MFA. That still leaves roughly 3%, potentially dozens of police agencies, that have not turned it on. Haley said those departments had “reasons specific to them” for opting out, but did not elaborate.
Company spokesperson Holly Beilin declined to clarify how many police departments have yet to activate MFA or whether any federal agencies are among them. The lack of a mandatory policy continues to raise concerns over the company’s cybersecurity practices, given the sensitive nature of its vast surveillance data.
Earlier reports by 404 Media revealed that the U.S. Drug Enforcement Administration once used a local police officer’s password to search Flock’s database for an individual suspected of an immigration violation, without the officer’s knowledge. That department has since enabled multi-factor authentication.
The lawmakers argue that incidents like these highlight a dangerous gap in Flock’s approach to data protection. With billions of license plate images stored and shared across agencies, even a small breach could expose confidential investigations, or enable unlawful surveillance.
