Lawmakers have called on the Federal Trade Commission to investigate Flock Safety, a company that operates license plate-scanning cameras, for allegedly failing to implement cybersecurity protections that expose its camera network to hackers and spies.
In a letter sent by Sen. Ron Wyden (D-OR) and Rep. Raja Krishnamoorthi (D-IL, 8th), the lawmakers urge FTC chairman Andrew Ferguson to probe why Flock does not enforce the use of multi-factor authentication (MFA), a security protection that prevents malicious access by someone with knowledge of the account holder’s password.
Wyden and Krishnamoorthi said that while the company offers its law enforcement customers the ability to enable MFA, “Flock does not require it, which the company confirmed to Congress in October,” according to the letter.
Wyden and Krishnamoorthi said that if hackers or foreign spies learn of a law enforcement user’s password, “they can gain access to law-enforcement-only areas of Flock’s website and search the billions of photos of Americans’ license plates collected by taxpayer-funded cameras across the country.”
Flock operates one of the largest networks of cameras and license plate readers in the U.S., providing access to more than 5,000 police departments, as well as private businesses, across the country. Flock’s cameras scan the license plates of passing vehicles so that police and federal agencies with logins to Flock’s platform can search the billions of captured photos and track where vehicles have traveled at any given time.
The lawmakers said that they had found evidence that some of Flock’s law enforcement customers’ logins had been previously stolen and shared online, citing data from Hudson Rock, a cybersecurity company that identifies usernames and passwords stolen by information-stealing malware.
Independent security researcher Benn Jordan also provided the lawmakers with a screenshot showing a Russian cybercrime forum allegedly selling access to Flock logins.
When reached by TechCrunch for comment, Flock shared the company’s response in a letter from its chief legal officer Dan Haley, in which he says the company switched on MFA by default for all new customers starting in November 2024 and that 97% of its law enforcement customers have enabled MFA to date.
That leaves around 3% of the company’s customers — potentially dozens of law enforcement agencies — that have declined to switch on MFA, citing “reasons specific to them,” Haley wrote.
Holly Beilin, a spokesperson for Flock, did not immediately provide a specific number of law enforcement customers that have not yet switched on MFA, nor did she say if any federal agencies are among the remaining customers, or for what reason Flock does not require its customers to switch on the security feature.
As previously reported by 404 Media, the U.S. Drug Enforcement Administration used a local police officer’s password to access Flock’s cameras to search for an individual suspected of an “immigration violation,” but without the officer’s knowledge. The Palos Heights Police Department said it switched on multi-factor authentication following the breach.
Topics cybersecurity, flock safety, Security, surveillance cameras Zack Whittaker
Security Editor Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security.
He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com. View Bio December 3, 2025 Palo Alto, CA
StrictlyVC concludes its 2025 series with an exclusive event featuring insights from leading VCs and builders, and opportunities to forge meaningful connections. Register Now Most Popular
Sam Altman says ‘enough’ to questions about OpenAI’s revenue
Anthony Ha
Meta has an AI product problem
Russell Brandom
Elon Musk wants you to know that Sam Altman got a refund from Tesla
Anthony Ha
AI researchers ’embodied’ an LLM into a robot – and it started channeling Robin Williams
Julie Bort
YouTube announces ‘voluntary exit program’ for US staff
Aisha Malik
Grammarly rebrands to ‘Superhuman,’ launches a new AI assistant
Ivan Mehta
VC Vinod Khosla says the US government could take 10% stake in all public companies to soften the blow of AGI
Sarah Perez