Pay Tel prison comms service exposed 300,000 driver’s licences in cloud security lapse

Prison communication provider Pay Tel has secured a cloud server that was publicly accessible and contained scans of more than 300,000 driver’s licences and other government-issued identification documents. The data breach was identified by cybersecurity firm UpGuard, which reported that the Microsoft Azure-hosted storage unit lacked password protection, allowing unrestricted web access to the files.

The exposed data included inmate communications such as text messages, handwritten notes, and financial records, alongside user profile photos. UpGuard noted that many of these images contained precise geolocation metadata, with some granular enough to identify specific home addresses. Pay Tel requires customers to submit identification documents and photos to access its tablets and communication devices in correctional facilities across the United States.

UpGuard alerted Pay Tel to the security lapse on 7 May after determining the company managed the server. The firm followed up days later before the data was secured. Despite the resolution of the immediate technical issue, Pay Tel has not publicly acknowledged the incident. Requests for comment directed to Pay Tel president Vincent Townsend were not returned.

This incident marks the second known security failure for Pay Tel in two years, following a ransomware attack in June 2025. The breach aligns with a broader trend of technology companies misconfiguring cloud systems, leaving sensitive customer data exposed on the open web due to inadequate cybersecurity practices.

It remains unclear whether Pay Tel intends to notify the individuals whose data was exposed or if it will alert US state attorneys general in compliance with data breach notification laws. Linxi News was unable to ascertain who, if anyone, holds responsibility for cybersecurity within the Pay Tel organisation.