Pay Tel Left 300K Inmate Driver's Licenses in an Open Azure Bucket

Pay Tel's job is to connect incarcerated people with the people on the outside who love them. To use the system, a relative on the outside has to submit a driver's license scan—part of the identity verification process that lets a tablet on the inside ring through to a phone in someone's kitchen. UpGuard, an Australian cybersecurity firm that scans for exposed cloud storage at scale, found those driver's license scans on May 7, 2026 in a Microsoft Azure server that any browser could reach.

Key Takeaways

• UpGuard found a Pay Tel Azure storage server with no password exposing more than 300,000 driver's license scans and government-issued ID images on May 7, 2026.
• The same server also held inmate text messages, handwritten letters scanned by the tablet camera, financial records, and photos that retained EXIF location metadata in some cases accurate enough to identify a home address.
• Pay Tel had already suffered a ransomware attack in June 2025, making this the company's second confirmed security incident inside one year.
• Pay Tel president Vincent Townsend has not responded to TechCrunch's inquiries, and the company has not stated whether affected individuals or state attorneys general will be notified under breach notification laws.
• The people whose data leaked are mostly family members of incarcerated people—a population that already faces heightened scam targeting and that has no choice in which vendor their loved one's prison uses.

Who Is Pay Tel and Why Do They Have Your Driver's License?

Pay Tel is one of several private companies that the United States carceral system relies on to provide phone, video, and messaging services inside jails and prisons. The model is straightforward: the prison contracts with the vendor, the vendor installs phones or tablets, and the family on the outside pays per-minute rates to talk to their loved one. Pay Tel's tablets also support messaging and photo sharing, which is where the rest of the leaked data came from.

The driver's license requirement is identity verification. Pay Tel needs to be able to certify that the person on the outside is the one they claim to be before letting them into the system, both for the carrier's own fraud controls and to satisfy facility rules. That requirement means every spouse, parent, sibling, and child of a Pay Tel-served incarcerated person uploads a government photo ID at some point. UpGuard found 300,000+ of those scans sitting in an unprotected bucket.

What Else Was Exposed Besides the Licenses?

The bucket was not just ID storage. According to TechCrunch's reporting, the same server held:

• Text messages between inmates and their families, scanned and stored as image attachments.
• Handwritten letters that the tablet camera had captured and transmitted.
• Financial records associated with the family member's account, including the funds loaded into the account that pays for call minutes.
• User-uploaded photos that, in some cases, retained EXIF GPS metadata granular enough to identify the home address where the photo was taken.

A prison communications dataset is not like a marketing list. Letters between an incarcerated parent and a child, conversations about parole hearings, custody disputes, medical conditions, and ongoing legal cases all sit inside the messages. Many of those communications are subject to attorney work product or therapeutic confidentiality. None of them were ever meant to be reachable by an unauthenticated HTTPS request.

How Did UpGuard Find the Server?

UpGuard runs continuous scans for misconfigured cloud storage across the major providers, looking for servers and buckets that should require authentication but do not. The firm has been responsible for exposing a long list of similar incidents over the past several years, including major leaks from Verizon, Booz Allen Hamilton, and Capital One precursors. The pattern is the same every time: a developer or operator stands up a storage account, sets permissive defaults for convenience, and then forgets to lock it down before going live.

UpGuard alerted Pay Tel on May 7, 2026 once the server was identified. The exposure window before that, including how long the data had been reachable from the public internet and whether anyone besides UpGuard had accessed it, is unknown. Pay Tel has not confirmed whether the server held access logs or whether those logs are being preserved for forensic analysis.

This is the second known incident at Pay Tel in roughly a year. In June 2025, the company suffered a ransomware attack. The combination—ransomware followed by a basic cloud misconfiguration eleven months later—suggests that the lessons from the first incident did not propagate into operational security.

Why Is the Family Member, Not the Inmate, the Real Victim?

Family members of incarcerated people are already a population that scammers know how to find. Public inmate locator databases reveal who has a relative in custody. Funeral notices, court filings, and victim impact statements add context. Once a scammer also has the family member's driver's license, home address, and the text history that proves an emotional connection with someone behind bars, the next move is a phone call.

The standard scam aimed at families of incarcerated people pretends to be the public defender, the prison ombudsman, a parole board contact, or—most cruelly—a bail bondsman with news about an emergency hearing. The scam asks for an immediate wire transfer or gift card payment. The leaked Pay Tel data gives the scammer everything they need to make the call sound legitimate: the family's name, the address on file, the inmate's first name, the right facility, sometimes even a piece of context lifted directly from a real Pay Tel message exchange.

The same risk profile applies to attorneys, court appointed advocates, and journalists corresponding with sources inside the system. The Crime Stoppers P3 anonymous tips breach follows an almost identical pattern: a vendor in the criminal justice supply chain stores sensitive third party data, the storage is misconfigured, and the people who depended on the system's confidentiality have no remediation path.

What Should Affected Families Do?

Pay Tel has not yet confirmed it will notify affected individuals. Most US state breach notification laws are triggered by exposure of driver's license numbers and require notification within 30 to 60 days, but enforcement depends on the company actually disclosing. In the meantime, the practical guidance is:

1. Place a free credit freeze with all three US credit bureaus. A driver's license is one of the strongest documents an identity thief can present, and a freeze blocks new credit lines opened in your name without your authorization.
2. Treat any "urgent" call about your incarcerated relative as a scam until proven otherwise. Real prison officials, public defenders, and court personnel do not call asking for wire transfers or gift cards. Hang up and call the facility's published main line directly.
3. Watch your inbox. The leaked data includes email addresses associated with Pay Tel accounts. Phishing operators will use that pairing to send fake "Pay Tel security update" emails with hidden tracking pixels that confirm the address is live. Gblock strips those pixels before they fire, so a phishing operator never gets the confirmation that turns your inbox into a priority target.
4. File a complaint with your state attorney general. Even if Pay Tel does not notify proactively, individual complaints accumulate and shape whether enforcement opens.

The Vendor Choice That Was Never Yours

There is one detail of the Pay Tel breach that distinguishes it from a leak at a normal consumer service. The people whose data was exposed did not choose Pay Tel. They were forced to use it because their loved one's prison contracted with that vendor, and prison communications contracts are negotiated between facility administrators and the vendor with no consumer input. The market has no exit option. Until contracting authorities treat data protection as a procurement criterion, the same Azure-bucket-left-public failure will keep happening to the same captive population.