Prison calling service Pay Tel has secured a publicly exposed cloud server storing hundreds of thousands of driver’s licenses and other sensitive information about people who used its services, according to a cybersecurity firm that alerted the company to the security lapse.
Security researchers with UpGuard said in a blog post that they identified a Microsoft Azure-hosted storage server storing at least 300,000 driver’s license scans and other government-issued identity documents belonging to Pay Tel.
The server was unprotected without a password, allowing the data inside to be accessible from the web.
Pay Tel provides tablets and other communication devices to prisons across much of the United States for inmates to receive calls. Customers signing up to Pay Tel have to provide a copy of their identification documents and a profile photo before they can use the service, which UpGuard said were exposed. The security researchers said inmate communications, including text messages, handwritten notes, and financial records, were also exposed as a result of the security lapse.
UpGuard said it alerted Pay Tel on May 7 after determining that the company managed the server and followed up days later before it was secured. Pay Tel has not yet acknowledged the security incident.
The data exposure at Pay Tel is the latest example in recent months of tech companies leaving people’s highly sensitive documents on the open web for anyone to find. TechCrunch has reported on this recurring problem of companies often misconfiguring their systems or falling below cybersecurity best practices, and as a result, allowing anyone on the internet to view their customers’ personal information.
UpGuard said many of the user-uploaded photos also contained the precise real-world location of where the images were taken; in some cases, granular enough to identify someone’s home address.
This is Pay Tel’s second known security lapse in as many years, following a ransomware attack in June 2025.
Pay Tel president Vincent Townsend did not respond to an email from TechCrunch with questions about the security lapse. It’s unclear if the company plans to notify the individuals whose data was exposed or if the company will alert attorneys general under U.S. state data breach notification laws.
TechCrunch could not ascertain who, if anyone, is responsible for cybersecurity at Pay Tel.
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.