Emerging
May 28, 20261
50%
Prison Call Service Pay Tel Exposes 300K+ Driver's Licenses in Cloud Security Breach
Prison communication service Pay Tel exposed over 300,000 driver's licenses and other sensitive identity documents on an unprotected cloud server, according to cybersecurity firm UpGuard. The researchers discovered the Microsoft Azure-hosted server was accessible without password protection and alerted the company on May 7, 2026. This is Pay Tel's second known security incident in two years.
Quick Facts
Who
Pay Tel
What
Unprotected cloud server exposed driver's licenses and identity documents
When
May 7, 2026 (initial notification)
Where
Microsoft Azure cloud server
- Unprotected cloud server exposed driver's licenses and identity documents
- Inmate communications, text messages, notes, and financial records exposed
- Security researchers discovered and reported the misconfiguration
- Server was secured after notification
- Pay Tel
Prison communication service Pay Tel has suffered a significant data security breach involving the exposure of over 300,000 driver's licenses and other sensitive identity documents on an unprotected cloud server. Security researchers at UpGuard discovered the Microsoft Azure-hosted storage server was accessible to anyone on the internet without password protection, containing scans of government-issued identification documents belonging to people who use Pay Tel's services.
Pay Tel provides tablets and communication devices to correctional facilities across the United States, requiring customers to submit copies of identification documents and profile photos before accessing the service. In addition to the exposed driver's licenses, the unsecured server contained inmate communications including text messages, handwritten notes, and financial records. UpGuard researchers noted that many of the uploaded photos included precise geolocation data, in some cases granular enough to identify individuals' home addresses.
UpGuard cybersecurity researchers identified the misconfigured server and notified Pay Tel on May 7, 2026, with follow-up alerts before the company secured the storage. Pay Tel president Vincent Townsend did not respond to inquiries about the incident. It remains unclear whether the company intends to notify affected individuals or comply with state data breach notification laws, and the company has not yet publicly acknowledged the security lapse.
This marks the second known security incident for Pay Tel in as many years, following a ransomware attack in June 2025. The breach exemplifies a recurring pattern of companies misconfiguring cloud storage systems and failing to implement basic cybersecurity protections, inadvertently exposing customers' highly sensitive personal information.
Why This Matters
This breach directly affects hundreds of thousands of incarcerated individuals and their families whose personal identity documents, communications, and location data have been exposed. The incident reveals critical gaps in how prison communication providers handle sensitive government-issued identification and inmate data, raising urgent questions about compliance with data breach notification laws and the adequacy of cybersecurity standards in the correctional system. For readers, it underscores the risks of using third-party communication services in prisons and highlights the need for stronger regulatory oversight of companies handling vulnerable populations' data.
Timeline & Sources
May 7, 2026
WireUpGuard identifies misconfigured server and alerts Pay Tel
May 28, 2026
WireSecurity breach publicly disclosed by TechCrunch