Prison phone service Pay Tel has secured publicly available cloud servers storing hundreds of thousands of driver's licenses and other sensitive information about people who use its service, according to a cybersecurity firm that alerted the company to security flaws.
Security researchers at UpGuard said in a blog post that they have identified a Microsoft Azure-hosted storage server that stores at least 300,000 driver's license scans and other government-issued identification documents belonging to Pay Tel.
The server was not protected without a password, so the data inside could be accessed from the web.
Pay Tel provides most prisons in the United States with tablets and other communication devices for inmates to receive phone calls. Customers signing up for Pay Tel must provide a copy of their ID and a profile photo before using the service, which UpGuard says was compromised. Security researchers said inmate communications, including text messages, handwritten notes and financial records, were also exposed as a result of the security lapse.
UpGuard said it alerted Pay Tel on May 7 after determining it had control of the server and followed up with the server several days later until it was secured. Pay Tel has not yet acknowledged the security incident.
The Pay Tel data breach is the latest example in recent months of tech companies leaving people's sensitive documents on the open web for anyone to find. TechCrunch reported on this recurring problem where companies often misconfigure their systems or fall short of cybersecurity best practices, resulting in customers' personal information being visible to anyone on the internet.
UpGuard says many of the photos users upload also include the exact real-world location where the image was taken. In some cases, the information is detailed enough to determine someone's home address.
This is Pay Tel's second known security flaw in recent years, following a ransomware attack in June 2025.
Pay Tel President Vincent Townsend did not respond to an email from TechCrunch with questions about the security revocation. It's unclear whether the company plans to notify individuals whose data was compromised or alert attorneys general under state data breach notification laws.
TechCrunch was unable to confirm who, if anyone, is responsible for Pay Tel's cybersecurity.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.