Embedded Files
Published Date : 11/6/2025
US Senator Ron Wyden and Representative Raja Krishnamoorthi are urging the Federal Trade Commission (FTC) to investigate Flock Safety, a surveillance technology company, for its failure to implement basic cybersecurity measures, exposing sensitive data to hackers and foreign intelligence services.
US Senator Ron Wyden and Representative Raja Krishnamoorthi are urging the Federal Trade Commission (FTC) to investigate Flock Safety, a surveillance technology company, for its failure to implement basic cybersecurity measures, exposing sensitive data to hackers and foreign intelligence services.
U.S. Senator Ron Wyden and Representative Raja Krishnamoorthi are urging the Federal Trade Commission (FTC) to investigate Flock Safety, a fast-growing surveillance technology company, for its failure to implement basic cybersecurity protections. This has exposed sensitive data to hackers, foreign intelligence services, and criminal networks.
The two lawmakers detailed their concerns in a letter sent to FTC Chair Andrew Ferguson on Monday, arguing that Flock’s failure to require strong multi-factor authentication (MFA) has created a significant risk to Americans’ privacy and public safety.
“Flock has received vast sums of taxpayer money to build a national surveillance network,” Wyden and Krishnamoorthi wrote in their letter to Ferguson. “But Flock’s cavalier attitude towards cybersecurity needlessly exposes Americans to the threat of hackers and foreign spies tapping this data. Accordingly, we urge the FTC to hold Flock accountable for its negligent cybersecurity practices.”
Flock Safety operates the nation’s largest network of license plate recognition cameras, with contracts spanning more than 5,000 police departments, 1,000 private companies, and numerous homeowner associations across 49 states. These cameras capture the movements of vehicles, allowing law enforcement agencies to track where drivers travel, down to specific times and locations. The data can reveal personal details, including visits to medical facilities, addiction support meetings, places of worship, and political events.
Wyden and Krishnamoorthi say the company failed to secure this information. “While Flock offers support for MFA, a widely recognized cybersecurity best practice, Flock does not require it, which the company confirmed to Congress in October,” the lawmakers said in their letter. “Moreover, Flock continues to support insecure methods of MFA, such as sending a numeric code to a phone by text message, which is vulnerable to interception and phishing.”
The two lawmakers added that “Flock does not natively support phishing resistant MFA, which the Cybersecurity and Infrastructure Security Agency calls ‘the gold standard method of [MFA].’ Phishing resistant MFA is required of federal agencies and mandated by both the Federal Communications Commission and the FTC.”
The lawmakers pointed to evidence that hackers have already compromised Flock accounts. A public database operated by cybersecurity firm Hudson Rock shows that passwords for at least 35 Flock customer accounts have been stolen. They also cited reports from a Russian language cybercrime forum where Flock account access has allegedly been offered for sale. With access to a single compromised login, an intruder could search billions of license plate scans collected nationwide.
“By not requiring MFA, Flock has enabled unauthorized access through law enforcement officers sharing their Flock passwords,” Wyden and Krishnamoorthi said. One publicized case involved a Drug Enforcement Administration task force using a local Illinois detective’s Flock credentials for searches. According to internal police records disclosed after a press inquiry, multiple federal agents used the detective’s login, and the department had not enabled optional multi-factor authentication until after the incident came to light.
“That numerous federal agents were able to access Flock’s systems using passwords belonging to other users without being detected or blocked raises serious questions about the effectiveness of Flock’s cybersecurity defenses,” the lawmakers said in their letter.
Wyden and Krishnamoorthi noted that the FTC has previously sanctioned companies for failing to require basic security protections. In recent years, Uber, Chegg, Drizly, and Blackbaud have all been subject to FTC enforcement actions after the agency determined their failure to require multi-factor authentication constituted an unfair business practice.
Beyond cybersecurity failures, Wyden has raised broader concerns about how Flock shares data with law enforcement agencies. In October, he accused the company of misleading Oregon communities by promising to block searches related to immigration enforcement and abortion-related investigations. Wyden’s oversight found that the software filters Flock described were easily bypassed and that the company did not audit how its network was being used.
Wyden also said the company was not transparent about which federal agencies can access its data. Recent disclosures show that Customs and Border Protection, Homeland Security Investigations, the U.S. Secret Service, and the Naval Criminal Investigative Service all have had access to Flock systems despite local jurisdictions being told their data would be protected from such use.
“I now believe that abuses of your product are not only likely, but inevitable,” Wyden wrote in an earlier letter to Flock CEO Garrett Langley, adding that the company is “unable and uninterested in preventing them.” Local governments have begun to respond. The city of Eugene, Oregon recently voted to deactivate its Flock cameras while it reevaluates the company’s use and the scope of the data being collected.
Wyden and Krishnamoorthi’s request places the future of Flock’s nationwide network squarely before the FTC. If the commission finds the company failed to protect consumers’ data, it could face sanctions, mandatory security reforms, or restrictions on how its technology may be deployed.
“The FTC must hold Flock accountable,” the lawmakers wrote, arguing that the company has received significant public funding while exposing the public to unnecessary risk. Flock Safety has not yet issued a response to the lawmakers’ request.
Frequently Asked Questions (FAQS):
Frequently Asked Questions (FAQS):
Q: What is Flock Safety?
A: Flock Safety is a surveillance technology company that operates the nation’s largest network of license plate recognition cameras, used by over 5,000 police departments, 1,000 private companies, and numerous homeowner associations across 49 states.
Q: Why are US lawmakers calling for an FTC investigation into Flock Safety?
A: US lawmakers are calling for an FTC investigation into Flock Safety due to the company's failure to implement basic cybersecurity protections, which has exposed sensitive data to hackers, foreign intelligence services, and criminal networks.
Q: What specific cybersecurity measures are missing in Flock Safety's system?
A: Flock Safety does not require multi-factor authentication (MFA), which is a widely recognized cybersecurity best practice. The company also supports insecure methods of MFA, such as sending a numeric code to a phone by text message, which is vulnerable to interception and phishing.
Q: What evidence do the lawmakers have to support their concerns?
A: The lawmakers cite a public database operated by cybersecurity firm Hudson Rock, which shows that passwords for at least 35 Flock customer accounts have been stolen. They also reference reports from a Russian language cybercrime forum where Flock account access has allegedly been offered for sale.
Q: What could be the potential outcomes of the FTC investigation?
A: If the FTC finds that Flock Safety failed to protect consumers’ data, the company could face sanctions, mandatory security reforms, or restrictions on how its technology may be deployed.
More Related Topics :
More Related Topics :
Page updated
Report abuse