A significant security vulnerability at Pay Tel, a provider of communication services for correctional facilities, has left the sensitive personal information of more than 300,000 individuals exposed on the open web. A misconfigured Microsoft Azure-hosted storage server was discovered without password protection, allowing unauthorized access to a vast repository of government-issued identity documents.

The exposed data includes scans of driver’s licenses and other official identification used by individuals to access Pay Tel’s services. Beyond identity documents, the breach also compromised inmate communications, including text messages, handwritten notes, and various financial records. Compounding the privacy risk, many of the user-uploaded profile photos contained embedded metadata that revealed precise geographic locations, in some instances pinpointing the home addresses of users.

Pay Tel provides essential communication tools, such as tablets and specialized devices, to prisons throughout much of the United States. To utilize these services, customers are required to submit identification documents and profile photos. This incident represents the second major security failure for the company in a two-year period, following a previous ransomware attack in June 2025.

At this time, Pay Tel has not issued a formal acknowledgment of the exposure or provided a timeline for notifying those affected. It remains unclear whether the company will comply with state data breach notification laws or alert relevant legal authorities regarding the compromised data.