Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Prison calling service Pay Tel has secured a publicly exposed cloud server that stores hundreds of thousands of driver’s licenses and other sensitive information about people who have used its services, according to a cybersecurity firm that alerted the company to the vulnerability.
said security researchers at UpGuard In a blog post They identified a storage server hosted on Microsoft Azure that stored at least 300,000 copies of driver’s license and other government-issued identity documents that belonged to Pay Tel.
The server was unprotected without a password, allowing the data inside to be accessed from the web.
Pay Tel provides tablets and other communication devices to prisons in most parts of the United States so inmates can take calls. Customers who sign up for Pay Tel must provide a copy of their identity documents and a profile photo before they can use the service, which UpGuard said is exposed. Inmate communications, including text messages, handwritten notes and financial records, were also exposed as a result of the vulnerability, security researchers said.
UpGuard said it alerted Pay Tel on May 7 after confirming the company was managing the server and followed up days later before securing it. Pay Tel has not yet acknowledged the security incident.
The Pay Tel data disclosure is the latest example in recent months of tech companies leaving people’s highly sensitive documents on the open web for anyone to find. TechCrunch reported on this recurring problem that companies often misconfigure their systems or fall under cybersecurity best practices and, as a result, allow anyone on the Internet to view their customers’ personal information.
Many user-uploaded photos also contain the exact real location of where the photos were taken, UpGuard said; In some cases, accurate enough to pinpoint someone’s home address.
This is Pay Tel’s second known security vulnerability in as many years Ransomware attack in June 2025.
Pay Tel’s president, Vincent Townsend, did not respond to an email from TechCrunch with questions about the vulnerability. It is not clear whether the company plans to notify individuals whose data was exposed or whether the company will alert prosecutors under US state data breach notification laws.
TechCrunch was unable to confirm who, if anyone, is responsible for cybersecurity at Pay Tel.
When you make a purchase through the links in our articles, We may earn a small commission. This does not affect our editorial independence.
