Tools / News / Prison Phone Vendor Pay Tel Left 3.4 Million Files Open on Azure, Exposing 300,000 Driver's Licenses
Press

Prison Phone Vendor Pay Tel Left 3.4 Million Files Open on Azure, Exposing 300,000 Driver's Licenses

· VaultTools

On May 28, 2026, TechCrunch reported that UpGuard found a publicly accessible Microsoft Azure bucket belonging to prison phone vendor Pay Tel. It held 3.4 million files (1.1 TB) with no password, including more than 300,000 unredacted driver's license scans, legal documents, and family photos carrying GPS location data. The bucket had been open since 2018.

VaultTools · June 4, 2026

A row of gray public phone booths, illustrating a prison communication vendor whose document uploads were left exposed on a cloud server. Photo on Unsplash

Table of Contents

What Happened

On May 28, 2026, TechCrunch reported that security researchers at UpGuard found a Microsoft Azure storage server belonging to Pay Tel, a company that provides tablets and calling devices to prisons across much of the United States. The server was, in TechCrunch’s words, “unprotected without a password, allowing the data inside to be accessible from the web.”

Pay Tel handles communications between incarcerated people and the friends and family who call or message them. To verify those outside contacts, the service collects scanned identity documents. Those scans, along with messages and photos, were sitting in an open bucket.

According to UpGuard’s report, the bucket held roughly 3.4 million files totaling 1.1 TB and had been live since 2018, still receiving new uploads at the time of discovery. UpGuard analyzed a sample of about 314 GB, or 500,000 files.

What Was Exposed

UpGuard’s analysis found more than 300,000 unredacted identification cards, primarily driver’s licenses. Most belonged to non-incarcerated individuals, the friends and family communicating with inmates, rather than to the prisoners themselves.

The dataset went well beyond ID scans. UpGuard documented thousands of legal documents (court filings, warrants, and case motions), financial records (deposit receipts and commissary orders), and roughly 10 percent personal communications such as text message screenshots, letters, and prison messaging app content. Family photographs were also present.

Many of the user-uploaded photos carried GPS metadata. TechCrunch reported that the location data was in some cases “granular enough to identify someone’s home address.”

How the Data Was Left Open

UpGuard states the Azure bucket was “configured to be publicly accessible, without any authentication or identification.” The bucket name contained “cdn,” which pointed to production infrastructure rather than a forgotten test environment.

There was no breach of a firewall and no stolen credential. Anyone who reached the address could read the files. UpGuard attributed the bucket to Pay Tel through sibling buckets carrying Pay Tel branding, GPS metadata matching Pay Tel facility locations concentrated in Georgia and North Carolina, and device metadata consistent with inmate tablets.

This was Pay Tel’s second known security lapse in two years, following a ransomware attack in June 2025.

The Disclosure Timeline

UpGuard documented the sequence. The firm discovered and began analyzing the bucket on May 4, 2026, downloaded a sample on May 5, and notified Pay Tel at privacy@paytel.com on May 7. After no response, UpGuard escalated to company leadership on the morning of May 11. The bucket was secured around 1 PM Pacific that same day.

As of TechCrunch’s publication on May 28, Pay Tel had not acknowledged the incident. President Vincent Townsend did not respond to TechCrunch’s email, and it was unclear whether the company planned to notify the people whose data was exposed.

Why This Matters for Browser-Based File Tools

The Pay Tel exposure follows a pattern this newsletter keeps documenting. A scanned passport, a driver’s license, or a court filing only leaks because it was uploaded somewhere and stored on a server that someone later misconfigured. The bucket had been collecting documents since 2018. The damage was not a clever attack. It was a setting left on default.

The structural lesson is simple. A file that never leaves the device cannot sit in an open bucket. When a document is processed locally, in the browser, there is no upload, no server-side copy, and no storage configuration to get wrong years later.

That is the entire premise behind privacy-first browser tools. Compressing a PDF, stripping EXIF data from a photo, or converting an image happens on the user’s own machine. The bytes are never transmitted, so there is nothing for a vendor to expose. For the kind of sensitive identity documents at the center of the Pay Tel leak, local processing removes the failure mode rather than promising to manage it.

Sources

← Back to all news