Lawmakers Urge FTC Investigation into Flock Safety’s Cybersecurity Practices Amidst Stolen Police Logins
In a recent development, U.S. lawmakers have called upon the Federal Trade Commission (FTC) to investigate Flock Safety, a company specializing in license plate-scanning cameras, for allegedly inadequate cybersecurity measures that may expose its extensive camera network to unauthorized access.
Senator Ron Wyden (D-OR) and Representative Raja Krishnamoorthi (D-IL, 8th) have addressed a letter to FTC Chairman Andrew Ferguson, expressing concerns over Flock Safety’s failure to mandate multi-factor authentication (MFA) for its law enforcement clients. MFA is a critical security protocol designed to prevent unauthorized access, even if a user’s password is compromised.
The lawmakers highlighted that, although Flock Safety offers MFA as an option, it does not enforce its use. This policy was confirmed by the company during a congressional briefing in October. The absence of mandatory MFA means that if malicious actors obtain a law enforcement user’s password, they could potentially access restricted areas of Flock’s platform, which houses billions of images of Americans’ license plates collected by cameras funded by taxpayers nationwide.
Flock Safety operates one of the largest networks of license plate recognition cameras in the United States, serving over 5,000 police departments and private businesses. These cameras capture images of passing vehicles’ license plates, enabling law enforcement agencies to search through vast amounts of data to track vehicle movements over time.
The legislators cited evidence indicating that login credentials of some of Flock’s law enforcement clients have been compromised and circulated online. Data from Hudson Rock, a cybersecurity firm specializing in identifying credentials stolen by information-stealing malware, supports this claim. Additionally, independent security researcher Benn Jordan provided a screenshot from a Russian cybercrime forum allegedly offering access to Flock logins for sale.
In response to these concerns, Flock Safety’s Chief Legal Officer, Dan Haley, stated that the company began enabling MFA by default for all new customers starting in November 2024. To date, 97% of its law enforcement clients have activated MFA. However, approximately 3% of customers—potentially representing dozens of law enforcement agencies—have chosen not to implement MFA, citing unspecified reasons.
Flock Safety spokesperson Holly Beilin did not provide specific numbers regarding law enforcement clients who have yet to adopt MFA, nor did she clarify whether any federal agencies are among them. The company also did not explain why it does not require all customers to implement this security feature.
This situation underscores the critical importance of robust cybersecurity measures, especially for companies handling sensitive data. The potential for unauthorized access to vast amounts of personal information raises significant privacy and security concerns. As the FTC considers this matter, it highlights the ongoing need for stringent security protocols to protect both public and private data from cyber threats.
