Federal lawmakers have called on regulators to investigate Flock Safety in Washington, D.C. after evidence emerged that stolen police usernames and passwords are being used to access the business’s huge license plate recognition cameras. The worry is understandable and serious: if criminal organizations or foreign intelligence services acquire a cop’s password, they can reportedly get access to a system that monitors automobiles across the nation.
Flock’s failure to execute multi-factor authentication is cited in a letter to the Federal Trade Commission by Senators Ron Wyden and Representative Raja Krishnamoorthi, which indicates that sensitive law enforcement tools are open to account takeovers. The lawmakers cautioned that hacked logins might put billions of images obtained by taxpayer-funded cameras for investigative searches far beyond their intended use.
Stolen credentials put a massive ALPR network at risk
Flock Safety operates one of the nation’s largest automatic license plate reader systems, with access to over 5,000 police departments and a large number of private companies. Authorized users may search for particular plates, locate time-stamped sightings, and map the vehicle’s activity sequence using a continuous stream of photos on the platform.
At least some law enforcement users are using data from a cybersecurity company indicating that their logins have been penetrated by data-harvesting malware and posted on the internet. Independent security researcher Benn Jordan presented a screenshot of a Russian cybercrime forum advertising access to Flock accounts. The publication underlines how quickly stolen credentials may turn into real-world exploitation.
The risk isn’t theoretical. An earlier investigation by 404 Media recounted how a federal agency used a Flock camera to gain access with a local officer’s password, without the officer’s cognizance. That department subsequently enabled additional protections, but the example indicates that a single credential—user password or password-recovery email—is enough to open up a large, city-sized capability.
Flock offers MFA but does not enforce its use globally. In a letter to Congress, the company claims that most customers have turned MFA on, yet 3% have not. With thousands of agencies using the platform, that 3% still represents tens of police departments with just a password standing between them and a powerful search capability.
Leading security bodies and prominent tech platforms have maintained for years that MFA is not a checkpoint, but a control—perhaps the most effective one against account compromise. Microsoft states that MFA halts more than 99.9% of automated account takeover attempts, and CISA often advises “default-on” settings. Making MFA optional for a system is likely to prompt regulators to ask a core question: does the organization practice reasonable security? The FTC has interceded numerous times in situations where administrations do not put fundamental protections around sensitive systems, which falls under their Section 5 unfair or deceptive practices authority. ALPR nets, which can ascertain intimate factoids about where one resides, works, worships, and seeks medical help, are specific information that demands more rigorous defense.
Regulators urge default MFA and stronger controls for ALPRs
Flock has not disclosed publicly how many law enforcement customers are currently operational without MFA in place or if any federal users are among them—it says most agencies have enabled the feature. Still, regulators and security experts argue systems of this sensitivity should require MFA by default and, where feasible, mandate the use of phishing-resistant options like FIDO2 security keys.
Certain agencies report it is logistically challenging, citing legacy workflow systems, ongoing systems, or smartphones, yet others are already required to use multi-factor authentication for specific databases under the FBI’s Criminal Justice Information Services Security Policy. Vendors supporting such a market segment regularly offer enhanced SSO and forced MFA enforcement policies; whether these controls are mandatory is a policy decision rather than a technological issue.
There’s a scale and retention issue here, too: Flock’s datasets, typically on the order of a 30-day retention period according to the user’s policy, are massive and constantly updated, meaning rapid misuse and rewind are feasible. Strong audit logs, IP allow listing, session remediation, and conduct analytics should go hand in hand with rigid MFA to limit the blast radius of a single, traded account.
Why this issue goes beyond a single ALPR vendor
Credential theft persists as the predominant vector in cyber strikes. Verizon’s Data Breach Investigations Report for 2024 found the ongoing involvement of stolen usernames and the human aspect in these attacks.
Recommended fixes for agencies and vendors
The fix is simple:
- Mandate MFA for all law enforcement portals.
- Demand phishing-resistant options for escalated permissions.
- Make ALPR platforms undergo independent security audits.
Procurement contracts can explicitly define these expectations. Vendors may set enforcement dates but only do so with substantial, proactive support for agencies needing implementation assistance.
What to watch next
The FTC may inquire whether Flock’s security defaults are appropriate given the service’s sensitivity. State AGs and local oversight may be influential, especially when ALPR deployments are funded with public dollars. The proof is in the pudding. In a world where stolen credentials are exchanged in the millions, optional security is insecure security. The bottom line is that for a system with the ability to recreate a person’s actions, this minimum standard is too low, and it is non-negotiable.
