Congressional lawmakers are calling for a Federal Trade Commission investigation into Flock Safety after discovering that stolen police credentials are giving hackers access to billions of license plate photos captured by the surveillance company's cameras nationwide. The bipartisan letter reveals that 3% of law enforcement agencies using Flock's platform haven't enabled basic multi-factor authentication, potentially exposing sensitive tracking data to foreign spies and cybercriminals.
Congressional leaders just dropped a cybersecurity bombshell that could reshape how surveillance companies handle law enforcement data. Flock Safety, which operates one of America's largest license plate tracking networks, is facing federal scrutiny after lawmakers discovered that basic security gaps are exposing billions of photos to hackers and foreign spies.
Sen. Ron Wyden and Rep. Raja Krishnamoorthi sent a letter to FTC Chairman Andrew Ferguson demanding an investigation into why Flock doesn't require multi-factor authentication for its 5,000+ law enforcement customers. The timing couldn't be worse for the Atlanta-based company, which has been rapidly expanding its surveillance footprint across American cities.
The security hole is staggering in scope. While Flock offers MFA as an option, the company admitted to Congress in October that it doesn't mandate the basic protection. That leaves roughly 3% of police departments - potentially dozens of agencies - operating with password-only access to a system that tracks where Americans drive every day.
"If hackers or foreign spies learn of a law enforcement user's password, they can gain access to law-enforcement-only areas of Flock's website and search the billions of photos of Americans' license plates," the lawmakers wrote. The implications extend far beyond typical data breaches - this involves real-time tracking capabilities that could compromise ongoing investigations or enable surveillance by hostile actors.
Evidence of active exploitation is already surfacing. Hudson Rock, a cybersecurity firm that monitors stolen credentials, provided lawmakers with data showing Flock login credentials circulating in criminal networks. Independent researcher Benn Jordan went further, sharing screenshots of a Russian cybercrime forum allegedly selling direct access to Flock accounts.
The company's response reveals just how recently it recognized the problem. Chief Legal Officer Dan Haley told TechCrunch that Flock only switched to MFA-by-default for new customers in November 2024 - meaning legacy accounts remained vulnerable for years. Even now, 97% adoption leaves "dozens of law enforcement agencies" exposed, according to Haley's own math.
