Federal lawmakers are demanding that the Federal Trade Commission investigate Flock Safety after evidence surfaced that law-enforcement account credentials have been stolen and shared online — raising concerns that hackers or foreign intelligence actors could gain access to the company’s vast license plate-reader network. According to a letter from Ron Wyden (D-OR) and Raja Krishnamoorthi (D-IL), Flock offers multi-factor authentication (MFA) for its clients but does not require it, leaving roughly 3 % of users — “potentially dozens” of agencies — exposed. The platform, which serves more than 5,000 police agencies and private entities, allows search of billions of captured license-plate images and vehicle movement history, meaning a compromised login could access deeply sensitive data. Independent research by cybersecurity firm Hudson Rock and others reportedly found that Flock law-enforcement credentials had been stolen via malware and sold on a Russian cyber-crime forum. Flock responded by saying MFA is enabled by default for all new customers as of November 2024 and 97 % of current law-enforcement users have activated it, though the company did not disclose details about the remaining 3 %.
Sources: The Record, SC World
Key Takeaways
– Weak enforcement of multi-factor authentication at Flock Safety creates a vulnerability in a surveillance platform used by thousands of police and private organizations.
– Stolen law-enforcement logins tied to Flock Safety have appeared online, making it possible that hackers or foreign intelligence agents could exploit the system to search billions of license-plate images.
– Regulators and lawmakers are now calling for scrutiny of Flock’s cybersecurity practices under the FTC’s authority, potentially heralding enforcement action or regulatory oversight of surveillance-tech providers.
In-Depth
The story of Flock Safety’s surveillance-camera network is unfolding at a tense intersection of technology, law-enforcement utility and civil-liberties risk. At its core is the fact that the company operates one of the largest automatic license-plate-reader (ALPR) systems in the United States, providing law-enforcement agencies — and increasingly private businesses and homeowners associations — the ability to capture, store and search images of vehicles passing by its cameras. Those images can tie a vehicle, by plate and timestamp and location, into a larger trail of movement. When paired with metadata and law-enforcement watch-lists, the system can become a powerful investigative tool. But power cuts both ways: if that access is improperly secured, the threat shifts from criminal-investigation to pervasive surveillance, misuse, or abuse.
Lawmakers – spearheaded by Senator Ron Wyden and Representative Raja Krishnamoorthi – have voiced concern that Flock does not require its clients to implement multi-factor authentication (MFA). In their letter to the FTC, they cited data from Hudson Rock showing that Flock law-enforcement client credentials had been exposed via malware and sold on Russian cyber-crime forums. The letter argues that the absence of a mandatory security layer means that once a password is harvested and shared, the platform’s layers fall away, allowing someone with stolen credentials to access “law-enforcement-only” sectors of Flock’s website, search through billions of plates and trace vehicle movement. The risks are amplified by Flock’s footprint: the company serves more than 5,000 agencies and has captured vehicle-data at large scale.
Flock’s defense is that it turned MFA on by default for new customers as of November 2024 and that 97 % of its law-enforcement customers have adopted MFA so far. The company however did not require MFA from all users immediately, and about 3 % of clients remained without it, according to its chief legal officer Dan Haley. That small percentage could still represent dozens of agencies whose records and access remain vulnerable. Moreover, critics argue that optional MFA is insufficient for a system that deals in sensitive vehicle-location and pattern-data for millions of Americans. Allowing users — especially in public-safety roles — to decline MFA is viewed by some cybersecurity experts as leaving a door open for account takeover.
Beyond the credential issue, the oversight challenges mount. Flock has publicly acknowledged issues around data-sharing. For instance, in Illinois, the Secretary of State’s audit found that federal agencies such as Customs and Border Protection (CBP) had accessed data collected by Flock’s network in violation of a state law restricting out-of-state use of such data for immigration or abortion-related enforcement. In response the company paused certain federal pilot programs and promised enhanced compliance tools. But the broader question remains: when local police, private property owners and multiple agencies feed data into a single centralized network, who watches the watchers? How is it audited? Who controls access? And critically, when credentials are compromised, what stops third-party or state-actor intrusion into datasets that are built to monitor where Americans go, how long they stop and what vehicle they use?
The lawmakers’ request to the FTC is therefore not just about a single company’s technical mis-step; it signals a broader regulatory moment for surveillance-tech vendors whose networks span tens of thousands of cameras. The issue becomes one of reasonable security standards: for a company whose system holds the movement-history of vehicles and functionally maps citizens’ travel patterns, is it enough to leave selective security to the user? Or is the obligation to enforce strong default protections and auditing baked-in? In the face of account-theft evidence, critics say optional MFA and incomplete audit control fall short.
From a conservative lens, there is a fundamental property-rights and government-accountability angle here. Police and private actors are using taxpayer-funded surveillance infrastructure that effectively observes public movement, yet the private vendor whose system underpins it deferred to client choice on security. That raises questions about the proper role of private contractors in constructing networks of public-safety surveillance and what fiduciary duty they owe to citizens — especially when vulnerabilities enable external intrusion. The fact that law-enforcement agency credentials can leak into the wild and possibly grant third-parties unfettered access to where vehicles have been resonates with concerns about privacy, sovereignty and the limits of state-capability.
Going forward, we might expect the FTC to assess whether Flock’s optional MFA constitutes “unfair or deceptive acts or practices” under its regulatory remit. The investigation, if opened, could trigger mandated changes not only at Flock but across the broader surveillance-industry ecosystem: default-on MFA, phishing-resistant credentials, rigorous audit logs, stronger role-based access controls, and mandated transparency around data-sharing between federal, state and local agencies. For municipalities and private contractors using Flock’s network, now may be the time to verify that MFA is enabled, audit account-access logs, restrict data-sharing terms, and reassess vendor contracts under the lens of security-and-civil-liberties risk.
For ordinary citizens, the insight is simple: the cameras scanning vehicles may be doing far more than catching stolen cars. They accumulate patterns of movement, destinations, durations — and when the front-door to this system is a police login, a stolen password can turn what was a law-enforcement tool into a surveillance vector. Ensuring that those front-doors are protected is not just a tech matter, it’s a matter of preserving civil-liberty safeguards in the age of ubiquitous sensors. The Flock Safety case may well become a precedent-setting moment for how we regulate the intersection of technology, surveillance and public-safety infrastructure.