A security lapse at prison pay phone service Pay Tel publicly exposed over 300K callers’ driver’s licenses
A security lapse at prison pay phone service Pay Tel publicly exposed over 300K callers’ driver’s licenses
监狱电话服务商 Pay Tel 出现安全漏洞,超 30 万名通话者的驾照信息被公开暴露
Prison calling service Pay Tel has secured a publicly exposed cloud server storing hundreds of thousands of driver’s licenses and other sensitive information about people who used its services, according to a cybersecurity firm that alerted the company to the security lapse. 据一家向 Pay Tel 通报该安全漏洞的网络安全公司称,监狱电话服务商 Pay Tel 现已修复了一台此前处于公开暴露状态的云服务器,该服务器存储了数十万名使用其服务的用户的驾照及其他敏感信息。
Security researchers with UpGuard said in a blog post that they identified a Microsoft Azure-hosted storage server storing at least 300,000 driver’s license scans and other government-issued identity documents belonging to Pay Tel. The server was unprotected without a password, allowing the data inside to be accessible from the web. UpGuard 的安全研究人员在一篇博文中表示,他们发现了一台托管在 Microsoft Azure 上的存储服务器,其中存有至少 30 万份属于 Pay Tel 用户的驾照扫描件及其他政府签发的身份证明文件。该服务器未设置密码保护,导致其中的数据可以直接从互联网访问。
Pay Tel provides tablets and other communication devices to prisons across much of the United States for inmates to receive calls. Customers signing up to Pay Tel have to provide a copy of their identification documents and a profile photo before they can use the service, which UpGuard said were exposed. Pay Tel 为美国大部分地区的监狱提供平板电脑和其他通信设备,供囚犯接听电话。用户在注册 Pay Tel 时必须提供身份证明文件副本和个人头像照片才能使用该服务,而 UpGuard 表示这些信息均遭到了泄露。
The security researchers said inmate communications, including text messages, handwritten notes, and financial records, were also exposed as a result of the security lapse. UpGuard said it alerted Pay Tel on May 7 after determining that the company managed the server and followed up days later before it was secured. Pay Tel has not yet acknowledged the security incident. 安全研究人员称,由于此次安全漏洞,囚犯的通信记录(包括短信、手写笔记和财务记录)也遭到了泄露。UpGuard 表示,在确认该服务器由 Pay Tel 管理后,于 5 月 7 日向其发出了警报,并在几天后进行了跟进,随后服务器才被修复。Pay Tel 尚未就此次安全事件作出回应。
The data exposure at Pay Tel is the latest example in recent months of tech companies leaving people’s highly sensitive documents on the open web for anyone to find. TechCrunch has reported on this recurring problem of companies often misconfiguring their systems or falling below cybersecurity best practices, and as a result, allowing anyone on the internet to view their customers’ personal information. Pay Tel 的数据泄露事件是近几个月来科技公司将用户高度敏感的文件留在开放网络上、任由他人获取的最新案例。TechCrunch 此前曾报道过这一反复出现的问题:企业往往因系统配置错误或未能达到网络安全最佳实践标准,导致互联网上的任何人都能查看其客户的个人信息。
UpGuard said many of the user-uploaded photos also contained the precise real-world location of where the images were taken; in some cases, granular enough to identify someone’s home address. This is Pay Tel’s second known security lapse in as many years, following a ransomware attack in June 2025. UpGuard 表示,许多用户上传的照片还包含了拍摄时的精确地理位置信息;在某些情况下,这些信息详细到足以识别出某人的家庭住址。这是 Pay Tel 近两年来第二次被发现的安全漏洞,此前该公司曾在 2025 年 6 月遭遇过勒索软件攻击。
Pay Tel president Vincent Townsend did not respond to an email from TechCrunch with questions about the security lapse. It’s unclear if the company plans to notify the individuals whose data was exposed or if the company will alert attorneys general under U.S. state data breach notification laws. TechCrunch could not ascertain who, if anyone, is responsible for cybersecurity at Pay Tel. Pay Tel 总裁 Vincent Townsend 未回复 TechCrunch 发送的关于此次安全漏洞的询问邮件。目前尚不清楚该公司是否计划通知数据泄露的个人,也不清楚该公司是否会根据美国各州的数据泄露通知法向总检察长报告。TechCrunch 无法确定 Pay Tel 内部是否有专人负责网络安全。