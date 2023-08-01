PHOENIX (3TV/CBS 5) -- The Arizona Department of Homeland Security has released its findings on a data breach that impacted the state’s school voucher program, better known as ESA.

State officials wrote in its report that for about eight days, a parent had access and spent a “considerable” amount of time looking at other parents’ orders on Classwallet. The department alleges that at no point did the parent(s) make an effort to contact ClassWallet. However, ClassWallet stated (per the report) that their logs wouldn’t be able to detect “local data capture methods,” such as photographs, screenshots and printing webpages.

Then on July 11, an Arizona Department of Education employee noticed a social media post that a parent had gained access to the approval queue in ClassWallet. About 30 minutes later, the company revoked access to the data and reverted them to the normal parental account setting.

Exposed data through that portal included:

First and last name of the student,

First and last name of the parent,

Email address of the person placing the order,

Home shipping address,

Amount spent per order,

Items purchased per order,

Phone number of the person placing the order

Application type.

On July 14, Classwallet notified the Treasurer’s Office that an education department employee was involved in the matter. The Treasurer’s Office told the company to avoid speaking with the education department until further notice. The treasurer advised the Arizona Security Operations Center of a possible breach that day. Three days later, the Arizona Department of Homeland Security was notified.

On July 24, the state’s incident response teams, including top education and security officials, began gathering more details on the incident. A meeting held later that afternoon revealed that the involved Department of Education employee had resigned from their role effective immediately.

As Arizona’s Family previously reported, those top-ranking officials included executive director Christine Accurso and operators director Linda Rizzo. The report does not specify if the resignation notice pertained to one or both administrators. After the report’s release, state Superintendent of Public Education Tom Horne said they did not know the reason for Accurso’s departure.

“The department did not request this resignation; it was initiated by the former employee,” Horne explained. Horne also addressed the report itself, saying in part, “The DHS report confirms that the Department of Education notified ClassWallet of a data issue. We received a statement on July 14.”

In a public statement, Accurso didn’t reveal a reason or a catalyst for leaving her role, instead saying that she had “achieved much of what [she] set out to accomplish.” She added, “It is time to move on and pursue other opportunities to engage citizens, especially parents, to fight for school choice and other issues they believe in for the future of our state.”

In the days that followed, security officials requested server log files and asked more questions to put together pieces to the puzzle of what happened. In addition, “ClassWallet confirmed that no other Arizona ESA parent accounts besides the one involved in the incident had received elevated privileges,” the report said.

The contractor also revealed two other incidents involving the Arizona ESA program to state Homeland Security, one of which temporarily exposed addresses and the other that populated names and email addresses. Those issues were resolved without incident in 2021.

