Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Prison phone service Pay Tel has discovered a publicly visible cloud server that stores hundreds of thousands of driver’s licenses and other personal information about people who used its services, according to a cybersecurity firm that warned the company of a security breach.
Security researchers with UpGuard said in a blog post that they identified a server hosted by Microsoft Azure that stores at least 300,000 driver’s licenses and other government-issued Pay Tel documents.
The server was password-protected, allowing the data it contained to be accessed from the Internet.
Pay Tel provides tablets and other communication equipment to prisons in many parts of the United States so that inmates can receive calls. Customers who have signed up to Pay Tel will have to provide their identification and photo ID before using the service, which UpGuard said was revealed. Security researchers said inmate communications, including text messages, handwritten notes, and financial records, were also exposed as a result of reduced security.
UpGuard said it alerted Pay Tel on May 7 after discovering that the company had been monitoring the server and tracking it for several days before it was secured. Pay Tel has not yet approved security measures.
The disclosure of data to Pay Tel is the latest example in recent months of technology companies leaving sensitive public documents online for anyone to find. TechCrunch has reported on the recurring problem of companies often compromising their systems or falling short of good cybersecurity practices, and as a result, allowing anyone on the Internet to see their customer information.
UpGuard said that many of the photos taken by users also contain the exact location where the photos were taken; in some cases, granular enough to identify a person’s home address.
This is Pay Tel’s second security breach in as many years, following ransomware attack in June 2025.
Pay Tel President Vincent Townsend did not respond to an email from TechCrunch with questions about the security breach. It is not clear whether the company intends to notify the individuals whose data was exposed or whether the company will notify the attorney general under the US federal law of the breach.
TechCrunch was unable to determine who, if anyone, is responsible for cybersecurity at Pay Tel.
When you purchase through links in our articles, we can get a little work. This does not affect our right to repair.