Jail calling service Pay Tel has secured a publicly uncovered cloud server storing a whole lot of 1000’s of driver’s licenses and different delicate details about individuals who used its companies, in line with a cybersecurity agency that alerted the corporate to the safety lapse.
Safety researchers with UpGuard stated in a blog post that they recognized a Microsoft Azure-hosted storage server storing no less than 300,000 driver’s license scans and different government-issued id paperwork belonging to Pay Tel.
The server was unprotected with out a password, permitting the info inside to be accessible from the online.
Pay Tel supplies tablets and different communication units to prisons throughout a lot of the US for inmates to obtain calls. Clients signing as much as Pay Tel have to supply a replica of their identification paperwork and a profile picture earlier than they will use the service, which UpGuard stated have been uncovered. The safety researchers stated inmate communications, together with textual content messages, handwritten notes, and monetary data, have been additionally uncovered on account of the safety lapse.
UpGuard stated it alerted Pay Tel on Might 7 after figuring out that the corporate managed the server and adopted up days later earlier than it was secured. Pay Tel has not but acknowledged the safety incident.
The info publicity at Pay Tel is the newest instance in current months of tech corporations leaving individuals’s extremely delicate paperwork on the open internet for anybody to seek out. TechCrunch has reported on this recurring downside of corporations typically misconfiguring their methods or falling under cybersecurity greatest practices, and in consequence, permitting anybody on the web to view their clients’ private info.
UpGuard stated most of the user-uploaded images additionally contained the exact real-world location of the place the pictures have been taken; in some instances, granular sufficient to determine somebody’s house handle.
That is Pay Tel’s second recognized safety lapse in as a few years, following a ransomware attack in June 2025.
Pay Tel president Vincent Townsend didn’t reply to an e mail from TechCrunch with questions in regards to the safety lapse. It’s unclear if the corporate plans to inform the people whose information was uncovered or if the corporate will alert attorneys basic below U.S. state information breach notification legal guidelines.
TechCrunch couldn’t confirm who, if anybody, is chargeable for cybersecurity at Pay Tel.
Once you buy by way of hyperlinks in our articles, we may earn a small commission. This doesn’t have an effect on our editorial independence.
