6 days ago
12
Image Credits:Bryce Durbin / TechCrunch11:00 AM PDT · May 28, 2026
Prison calling work Pay Tel has secured a publically exposed unreality server storing hundreds of thousands of driver’s licenses and different delicate accusation astir radical who utilized its services, according to a cybersecurity steadfast that alerted the institution to the information lapse.
Security researchers with UpGuard said in a blog post that they identified a Microsoft Azure-hosted retention server hosting astatine slightest 300,000 operator licence scans and different government-issued individuality documents belonging to Pay Tel.
The server was unprotected without a password, allowing the information wrong to beryllium accessible from the web.
Pay Tel provides tablets and different connection devices to prisons crossed overmuch of the United States for inmates to person calls. Customers signing up to Pay Tel person to supply a transcript of their recognition documents and a illustration photograph earlier they tin usage the service, which UpGuard said were exposed. The information researchers said inmate communications, including substance messages, handwritten notes, and fiscal records, were besides exposed arsenic a effect of the information lapse.
UpGuard said it alerted Pay Tel connected May 7 aft determining that the institution managed the server, and followed up days aboriginal earlier it was secured. Pay Tel has not yet acknowledged the information incident.
The information vulnerability astatine Pay Tel is the latest illustration successful caller months of tech companies leaving people’s highly delicate documents connected the unfastened web for anyone to find. TechCrunch has reported connected this recurring occupation of companies often misconfiguring their systems oregon falling beneath cybersecurity champion practices, and arsenic a result, allowing anyone connected the net to presumption their customers’ idiosyncratic information.
UpGuard said galore of the user-uploaded photos besides contained the precise real-world determination of wherever the images were taken; successful immoderate cases, granular capable to place someone’s location address.
This is Pay Tel’s 2nd known information lapse successful arsenic galore years, pursuing a ransomware onslaught successful June 2025.
Pay Tel president Vincent Townsend did not respond to an email from TechCrunch with questions astir the information lapse. It’s unclear if the institution plans to notify the individuals whose information was exposed oregon if the institution volition alert attorneys wide nether U.S. authorities information breach notification laws.
TechCrunch could not ascertain who, if anyone, is liable for cybersecurity astatine Pay Tel.
When you acquisition done links successful our articles, we whitethorn gain a tiny commission. This doesn’t impact our editorial independence.
Zack Whittaker is the information exertion astatine TechCrunch. He besides authors the play cybersecurity newsletter, this week successful security.
He tin beryllium reached via encrypted connection astatine zackwhittaker.1337 connected Signal. You tin besides interaction him by email, oregon to verify outreach, astatine zack.whittaker@techcrunch.com.
English (US) ·