Prison call service Pay Tel has secured a publicly exposed cloud server that stores hundreds of thousands of driver’s licenses and other sensitive information about people who used its services, according to a cybersecurity firm that alerted the company to the security breach.
UpGuard security researchers said in a blog post that they located a storage server hosted by Microsoft Azure that stores at least 300,000 scans of driver’s licenses and other government-issued identification documents belonging to Pay Tel.
The server was unprotected without a password, allowing the media data to be accessed from the web.
Pay Tel provides tablets and other communication devices to prisons across much of the United States for inmates to receive calls. Customers signing up to Pay Tel must provide a copy of their identification documents and a profile photo before they can use the service, which UpGuard said was exposed. Security researchers said inmate communications, including text messages, handwritten notes and financial records, were also exposed as a result of the security breach.
UpGuard said it notified Pay Tel on May 7 after it found the company was running the server, and it followed days later before it was secured. Pay Tel has not yet acknowledged the security incident.
The Pay Tel data exposure is the latest example in recent months of tech companies putting people’s highly sensitive documents out on the open web for anyone to find. TechCrunch has reported on this recurring problem of companies often defacing their systems or falling short of cybersecurity best practices and thereby allowing anyone on the Internet to view their customers’ personal information.
UpGuard said many of the photos uploaded by users also contained the exact real-world location where the images were taken. in some cases, detailed enough to identify someone’s home address.
This is Pay Tel’s second known security bug in as many years, after a ransomware attack in June 2025;.
Pay Tel president Vincent Townsend did not respond to an email from TechCrunch with questions about the security breach. It is unclear whether the company plans to notify the individuals whose data was exposed, or whether the company will notify attorneys general under US data breach laws.
TechCrunch was unable to ascertain who, if anyone, is responsible for cybersecurity at Pay Tel.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
