AZURE
Pay Tel Data Leak Exposes 300,000 IDs on Open Azure Server
The Pay Tel data leak handed anyone with a web browser at least 300,000 government-issued ID scans, no password required. Researchers at UpGuard, a cyber risk firm, traced the exposure to a Microsoft Azure storage server that Pay Tel Communications, a prison telecom provider, left wide open to the public internet.
What stings here is not novelty. Azure refuses anonymous access to stored files unless an administrator switches that protection off, and major exposures built on exactly that mistake have been documented across Microsoft’s cloud for half a decade.
What UpGuard Found Inside Pay Tel’s Open Storage
Pay Tel supplies tablets and calling devices to jails and prisons across much of the United States. Before a family member or friend can use the service to reach someone inside, they have to upload a copy of their identification and a profile photo. Those uploads are what ended up sitting on the open server.
The scans were only the start. UpGuard reported that the same storage held inmate text messages, handwritten notes and financial records, alongside the personal photos people sent to loved ones behind bars. The researchers counted 387 unique jails referenced across the data, which was logged in the firm’s public breach reports.
Many of the uploaded photos also carried embedded location data. In some cases that telemetry was precise enough to pin down a sender’s exact home address, turning a routine photo upload into a map to someone’s front door.
The headline figures give a sense of the scale:
- 300,000+ driver’s license and other government ID scans sitting in the open
- 387 unique jails referenced across the exposed records
- No password stood between the server and the public web
Azure Blocks Anonymous Access by Default
Here is the detail that turns this from bad luck into an own goal. A new Azure storage account does not allow anonymous public access. Microsoft sets the account-level switch, named AllowBlobPublicAccess, to off by default, and the company’s own documentation tells administrators to leave it that way.
To make files readable by strangers, someone has to take deliberate steps against that setting, as Microsoft’s guidance on blocking anonymous blob access spells out. Exposing a container to the public web takes a specific sequence:
- Flip the account setting to permit public access, overriding the safe default
- Set an individual container’s access level to “Container” or “Blob”
- Skip the logging and alerting Azure offers to flag anonymous read requests
None of that happens in a single accidental click. Microsoft even ships an Azure Policy rule that lets an organization deny the public-access setting outright, so the platform hands customers the brakes. The Pay Tel exposure is what configuration drift looks like when nobody pulls them.
A Cloud Exposure Pattern That Keeps Repeating
This is not the first time public read access on Microsoft’s cloud has spilled sensitive data into open view. The same root cause has surfaced again and again, on Microsoft’s own infrastructure and on its customers’ accounts.
| Incident | Year | What Leaked | Root Cause |
|---|---|---|---|
| Pay Tel | 2026 | 300,000+ IDs, inmate messages, geotagged photos | Public read access on an Azure storage account |
| Power Apps portals | 2021 | 38 million records across 47 entities | Anonymous data access enabled by default |
| BlueBleed | 2022 | Data tied to 65,000 entities in 111 countries | Misconfigured public Azure Blob endpoint |
The 2021 Power Apps Default
UpGuard found 38 million records sitting in the open across 47 organizations, including the states of Indiana and Maryland, New York City, and companies such as American Airlines. The cause was OData (Open Data Protocol) feeds that allowed anonymous access whenever table permissions were left unset. Microsoft first told the firm the behavior was “by design,” then changed the product so those permissions ship on. The full account sits in the report on the 2021 Power Apps exposure of 38 million records.
The 2022 BlueBleed Dispute
A year later, security firm SOCRadar flagged a misconfigured Azure endpoint it nicknamed BlueBleed, with data tied to 65,000 entities across 111 countries and totaling 2.4 terabytes. Microsoft confirmed the misconfiguration but pushed back hard on the scale, arguing the figures were inflated by duplicates. You can still read SOCRadar’s writeup of the BlueBleed cloud bucket findings. The through-line across all three cases is the same: read access left open to the public, defaults tightened after the fact, and customer-side mistakes that keep slipping through.
Why Prison Telecom Records Carry Extra Risk
The population behind this dataset is what makes it dangerous. People contacting incarcerated relatives are not a random slice of the public, and the records tie real names to specific facilities. Layer the embedded photo coordinates on top, and the leak does more than enable identity theft; it can lead a stranger to where a vulnerable family lives.
The remainder of the dataset consists of the photos of children, pets, friends, and family that were transmitted to inmates using the Pay Tel system.
That line from the researchers’ report is the part that should worry a regulator. Driver’s licenses can be reissued. A trove of children’s photos tagged with home coordinates cannot be unsent once it has been crawled and copied.
A Second Security Failure in Two Years
Pay Tel has been here before. In June 2025, the DragonForce ransomware group claimed an attack on Pay Tel Communications, listing the company on its leak site.
That makes the open Azure server the provider’s second known security incident in roughly a year, and the two failures point in different directions: one an external attack, the other a self-inflicted misconfiguration that needed no attacker at all.
Pay Tel president Vincent Townsend did not respond to a request for comment. The researchers alerted the company on May 7, 2026, followed up days later, and the server was secured only after that contact.
The Notification Question Still Hanging
For now it is unclear whether the company plans to tell the people whose IDs, messages and photos were exposed, or whether it will alert state attorneys general under U.S. data breach notification laws. Those statutes vary by state, and a passwordless server that anyone could read is exactly the kind of incident they were written to cover.
If Pay Tel files breach notices, the families behind those uploads find out how exposed they were and can start freezing credit and watching for fraud. If the company stays quiet, the people most at risk may never learn their licenses and home coordinates sat on the open web at all.
KB5089573 Fixes Windows 11’s Patch Tuesday Reboot Fail
Drug Dealer Simulator 2 Bets on 60 FPS for Xbox Series S
Anthropic Hits $965B, and Microsoft Profits Either Way
Snowflake’s 34% Surge Pushes Cortex AI Into Microsoft 365
Microsoft Teams Efficiency Mode Targets Low-End Office PCs
FBI’s Kali365 Warning Puts Microsoft Admins on the Hook
Steins;Gate Re:Boot Launches First on Xbox and PC August 20
CISA Sets June 3 Deadline for Two of Six Defender Zero-Days
Ragnarok Console Project Joins Korea’s RPG Push to Xbox
Microsoft Says It’s Working to End Windows 11’s Account Mandate
Microsoft’s Copilot Super App Chases Its Own 450M Base
Windows 11 Low Latency Profile Lands in KB5089573 Update
Microsoft 365 Copilot Redesign Bets Big on In-App Adoption
GTA 6’s Xbox Title ID Surfaces in Microsoft’s Backend
Microsoft Build 2026 Skips Windows 12 for the AI Bet That Counts
MicrosoftSystem64 Malware Hides Stolen Data Inside HuggingFace
The Cat in the Hat: Rainy Day Mayhem Hits Consoles Oct 30
Bevaya Lands Insurance AI Agents Inside Teams and Outlook
Obsidian Splits The Outer Worlds Free Upgrade by Platform
Gravastar Bets a Decade on Fighting-Game JRPG Combat
-
MICROSOFT 3657 days agoMicrosoft’s Copilot Super App Chases Its Own 450M Base
-
NEWS1 week agoWindows 11 Low Latency Profile Lands in KB5089573 Update
-
MICROSOFT 3651 week agoMicrosoft 365 Copilot Redesign Bets Big on In-App Adoption
-
NEWS1 week agoGTA 6’s Xbox Title ID Surfaces in Microsoft’s Backend
-
NEWS1 week agoMicrosoft Build 2026 Skips Windows 12 for the AI Bet That Counts
-
NEWS1 week agoMicrosoftSystem64 Malware Hides Stolen Data Inside HuggingFace
-
NEWS1 week agoThe Cat in the Hat: Rainy Day Mayhem Hits Consoles Oct 30
-
NEWS7 days agoBevaya Lands Insurance AI Agents Inside Teams and Outlook