According to an exclusive report by TechCrunch on May 28, security research firm UpGuard discovered that a storage server hosted on Microsoft Azure by U.S. prison communications provider Pay Tel was completely unprotected by a password, allowing anyone to access the data via the public internet. The leaked information includes at least 300,000 scanned copies of callers’ drivers’ licenses and other government-issued IDs, personal photos uploaded during user registration, as well as inmates’ text messages, handwritten letters, and financial records. UpGuard also noted that some user-uploaded photos contained precise GPS coordinates, detailed enough to pinpoint the individual’s home address. Pay Tel supplies tablets and communication devices to prisons in several U.S. states, and users must submit a photo ID to register for the service. UpGuard notified Pay Tel on May 7, and only after multiple follow-ups was the data made private. Company president Vincent Townsend did not respond to requests for comment and has not publicly acknowledged the incident.
This leak is the second known security incident for Pay Tel in less than two years, following a ransomware attack in June 2025. It is not known whether anyone accessed or downloaded the data before it was discovered, and Pay Tel has made no statement about whether it has complied with state data breach notification laws. UpGuard points out that large-scale data exposure due to unprotected cloud storage buckets has become a recurring security vulnerability, and the population affected by prison communication systems is already in a vulnerable position, adding to the severity of such incidents.