A security lapse at prison pay phone service Pay Tel publicly exposed over 300K callers’ driver’s licenses

Source: TechCrunch

Overview

Prison calling service Pay Tel secured a publicly exposed cloud server that stored hundreds of thousands of driver’s licenses and other sensitive information about people who used its services, according to a cybersecurity firm that alerted the company to the lapse.

Details of the Exposure

• Security researchers at UpGuard identified a Microsoft Azure‑hosted storage server containing at least 300,000 driver’s license scans and other government‑issued identity documents belonging to Pay Tel users.
• The server was unprotected—no password or authentication—allowing the data to be accessed directly from the web.
• In addition to identification documents, the exposed data included:
  • Profile photos submitted by customers
  • Inmate communications such as text messages and handwritten notes
  • Financial records
• Many of the uploaded photos contained precise geolocation metadata, in some cases granular enough to pinpoint a person’s home address.

Company Response

• UpGuard notified Pay Tel on May 7 after discovering the misconfigured server and followed up in the days that followed before the server was secured.
• Pay Tel has not yet publicly acknowledged the incident.
• The company’s president, Vincent Townsend, did not respond to a request for comment.
• It remains unclear whether Pay Tel will notify affected individuals or inform state attorneys general under U.S. data‑breach notification laws.

Context and Related Incidents

• This exposure follows a ransomware attack in June 2025 that also targeted Pay Tel’s inmate‑communication platform. (See the report on the attack here.)
• The incident is part of a broader pattern of tech companies unintentionally leaving highly sensitive documents exposed on the open web due to misconfigurations or failure to follow cybersecurity best practices. TechCrunch has reported on similar cases repeatedly.

References

• UpGuard blog post detailing the breach: Breaking containment: how a corrections vendor exposed inmate communications
• Original ransomware incident coverage: Leakd article on June 2025 attack