It happens. A server. Left wide open.
UpGuard researchers stumbled across it. A Microsoft Azure bucket storing over 300,00 driver’s license scans. Government ID cards too. No password. No protection. Just there. Waiting.
Who uploaded them? Callers to Pay Tel. The service lets families talk to inmates via tablets in US prisons. To get that call set up, you need to upload a photo and copy of your ID. Mandatory stuff. Routine. Until now.
“The server was unprotected.”
But it wasn’t just the IDs. The bucket held texts. Handwritten notes from prisoners. Financial records. Intimate details of lives behind bars. Or outside of them.
UpGuard flagged Pay Tel on May 7. Followed up a few days later. By then the data was secured. Closed. Safe? Maybe.
Has Pay Tel admitted this happened? Not yet.
Vincent Townsend, the president, didn’t return TechCrunch’s email. Nobody responded.
Weird for a company this size to have no visible cyber lead. Who is watching the doors? Nobody seems to know.
And here’s the kicker. The photos? Some included EXIF data. GPS coordinates. Granular enough to pinpoint a home address. Your street. Your door. Just by taking a selfie for a prison call.
This isn’t their first scare. June 2025 brought a ransomware attack. Now this. A pattern emerging? Maybe.
Why does this keep happening? Companies misconfigure clouds. They skip best practices. They trust defaults that aren’t secure. TechCrunch sees it constantly. Sensitive data. Exposed to anyone with a search engine.
Are they telling the victims? Unclear.
Will they notify attorneys general as state laws demand? Still quiet.
“Tech companies leaving sensitive documents on the open web.”
It’s careless. Dangerous.
What will you do when your face and ID float around the web forever?
We’re left guessing.
