Pay Tel Data Exposure Leaves More Than 300,000 Driver’s Licenses Accessible Online

Prison communications provider Pay Tel has secured a publicly exposed cloud storage server that contained hundreds of thousands of driver’s licenses and other sensitive personal records belonging to users of its services, according to cybersecurity researchers who discovered the issue.

Security firm UpGuard said in a blog post that it identified a Microsoft Azure-hosted storage server containing at least 300,000 scans of driver’s licenses and other government-issued identification documents associated with Pay Tel customers.

According to the researchers, the server was not protected by a password, leaving the information accessible through the internet.

Pay Tel supplies tablets and communication devices to correctional facilities across large parts of the United States, allowing inmates to make calls and communicate with approved contacts. Customers who register for the service must submit identification documents and profile photographs before gaining access. UpGuard said those records were among the exposed files.

Researchers also found that inmate communications, including text messages, handwritten correspondence, and financial records, were accessible because of the security lapse.

UpGuard said it first notified Pay Tel on May 7 after determining the company was responsible for managing the storage server. The firm followed up several days later, before the exposed data was eventually secured. Pay Tel has not publicly acknowledged the incident.

The exposure is the latest example of a recurring cybersecurity issue in which companies leave highly sensitive customer information exposed online due to misconfigured cloud infrastructure or inadequate security controls. Similar incidents have surfaced repeatedly in recent months, exposing personal records that should have remained protected.

UpGuard noted that many of the uploaded photographs contained embedded location data showing exactly where the images were taken. In some cases, the information was precise enough to reveal an individual’s home address, potentially.

The incident marks the second known cybersecurity issue involving Pay Tel in recent years. The company was previously affected by a ransomware attack in June 2025.

Pay Tel President Vincent Townsend did not respond to requests for comment on the exposed server or the company’s plans to notify affected individuals. It also remains unclear whether Pay Tel intends to inform state attorneys general as required under various U.S. data breach notification laws.

At this time, it is also unknown who oversees cybersecurity operations within the company or whether an internal investigation into the incident has been launched.