Congressional lawmakers are calling for a Federal Trade Commission investigation into Flock Safety after discovering that stolen police credentials are giving hackers access to billions of license plate photos captured by the surveillance company's cameras nationwide. The bipartisan letter reveals that 3% of law enforcement agencies using Flock's platform haven't enabled basic multi-factor authentication, potentially exposing sensitive tracking data to foreign spies and cybercriminals.
Congressional leaders just dropped a cybersecurity bombshell that could reshape how surveillance companies handle law enforcement data. Flock Safety, which operates one of America's largest license plate tracking networks, is facing federal scrutiny after lawmakers discovered that basic security gaps are exposing billions of photos to hackers and foreign spies.
Sen. Ron Wyden and Rep. Raja Krishnamoorthi sent a letter to FTC Chairman Andrew Ferguson demanding an investigation into why Flock doesn't require multi-factor authentication for its 5,000+ law enforcement customers. The timing couldn't be worse for the Atlanta-based company, which has been rapidly expanding its surveillance footprint across American cities.
The security hole is staggering in scope. While Flock offers MFA as an option, the company admitted to Congress in October that it doesn't mandate the basic protection. That leaves roughly 3% of police departments - potentially dozens of agencies - operating with password-only access to a system that tracks where Americans drive every day.
"If hackers or foreign spies learn of a law enforcement user's password, they can gain access to law-enforcement-only areas of Flock's website and search the billions of photos of Americans' license plates," the lawmakers wrote. The implications extend far beyond typical data breaches - this involves real-time tracking capabilities that could compromise ongoing investigations or enable surveillance by hostile actors.
Evidence of active exploitation is already surfacing. Hudson Rock, a cybersecurity firm that monitors stolen credentials, provided lawmakers with data showing Flock login credentials circulating in criminal networks. Independent researcher Benn Jordan went further, sharing screenshots of a Russian cybercrime forum allegedly selling direct access to Flock accounts.
The company's response reveals just how recently it recognized the problem. Chief Legal Officer Dan Haley told TechCrunch that Flock only switched to MFA-by-default for new customers in November 2024 - meaning legacy accounts remained vulnerable for years. Even now, 97% adoption leaves "dozens of law enforcement agencies" exposed, according to Haley's own math.
Flock spokesperson Holly Beilin declined to specify which agencies haven't enabled MFA or whether federal departments are among the holdouts. The company also won't explain why it doesn't simply require the security feature across the board.
This isn't Flock's first brush with unauthorized access. 404 Media previously reported that the Drug Enforcement Administration used a local police officer's stolen password to search Flock's database for immigration violations - without the officer's knowledge. The Palos Heights Police Department only implemented MFA after discovering the breach.
The incident highlights a broader problem with how federal agencies piggyback on local surveillance infrastructure. Flock's platform gives authorized users access to billions of license plate photos from cameras installed across the country, creating a de facto national tracking system that federal agencies can tap through local partnerships.
For context, Flock has positioned itself as the backbone of modern policing, with cameras that automatically scan passing vehicles and alert officers to stolen cars or wanted suspects. The company's rapid growth has made it a critical piece of law enforcement infrastructure, but also a high-value target for adversaries seeking surveillance capabilities.
The congressional letter represents a significant escalation in oversight of surveillance technology companies. Wyden and Krishnamoorthi are specifically asking the FTC to investigate whether Flock's practices constitute unfair or deceptive business practices under federal consumer protection law.
The timing puts pressure on both Flock and the broader surveillance industry to demonstrate stronger security practices. With license plate readers becoming ubiquitous in American cities, the potential for widespread compromise grows with each new installation.
The Flock Security investigation represents more than just another data breach story - it's a wake-up call about the hidden vulnerabilities in America's rapidly expanding surveillance infrastructure. As cities rush to deploy automated tracking systems, the question isn't just whether they're effective at catching criminals, but whether they're creating new attack vectors for foreign adversaries. The 97% MFA adoption rate might sound impressive, but in a system tracking billions of vehicle movements, even 3% represents a massive security gap that lawmakers are no longer willing to tolerate.
