US lawmakers want FTC to investigate this license plate-scanning company for this ‘Big Hacking Fear’

Two US lawmakers have called on the Federal Trade Commission (FTC) to investigate Flock Safety. The company which operates a network of license plate-scanning cameras in the US is being accused of failing to enforce cybersecurity protections.

Senator Ron Wyden (D-OR) and Representative Raja Krishnamoorthi (D-IL) sent a letter urging FTC Chairman Andrew Ferguson to investigate why Flock does not require multi-factor authentication (MFA). Lawmakers argued that the lack of mandatory MFA leaves the camera network vulnerable to hackers and spies. In a letter to the FTC, the lawmakers stated that while the company offers its law enforcement customers the ability to enable MFA, “Flock does not require it, which the company confirmed to Congress in October.”According to a report by TechCrunch, Wyden and Krishnamoorthi warned that if hackers or foreign spies obtain a law enforcement user’s password, “they can gain access to law-enforcement-only areas of Flock’s website and search the billions of photos of Americans’ license plates collected by taxpayer-funded cameras across the country.”Flock operates an extensive network of cameras and license plate readers in the US, providing access to over 5,000 police departments and private businesses nationwide.

The company’s cameras capture license plates of passing vehicles, allowing authorised police and federal agencies to search through billions of stored images and view vehicle movement history when needed.

What US lawmakers said about Flock’s security

The lawmakers claimed that they found evidence that some of Flock’s law enforcement customers had their login credentials stolen and shared online, citing information from cybersecurity firm Hudson Rock.

This company tracks compromised usernames and passwords.Meanwhile, independent security researcher Benn Jordan also provided lawmakers with a screenshot from a Russian cybercrime forum that was allegedly selling access to Flock logins.When contacted by TechCrunch, Flock referred to a letter from its chief legal officer, Dan Haley, stating that the company enabled multi-factor authentication (MFA) by default for all new customers starting in November 2024, and that 97% of its law enforcement customers have activated MFA.That leaves about 3% of customers, potentially several law enforcement agencies, who have chosen not to enable MFA for “reasons specific to them,” Haley wrote.Flock spokesperson Holly Beilin did not specify the number of law enforcement customers who have not activated MFA, whether any federal agencies are among them, or why the company does not require all customers to enable the feature.As previously reported by 404 Media, the US Drug Enforcement Administration used a local police officer’s login credentials to access Flock cameras in an investigation involving an “immigration violation,” without the officer’s knowledge. The Palos Heights Police Department later enabled multi-factor authentication following the incident.