ESA data breach prompts state Homeland Security investigation 

Updates: Adds comments from Arizona Superintendent of Public Instruction Tom Horne, Treasurer Kimberly Yee and a ClassWallet spokesman. It also clarifies that the state was set to award the contract in response to a financial management service RFP.

A recent data breach involving the contractor in charge of Arizona’s expanded Empowerment Scholarship Account (ESA) program is now under investigation by the Arizona Department of Homeland Security.  

In a letter to Arizona Superintendent of Public Instruction Tom Horne today, Gov. Katie Hobbs flagged the breach in ClassWallet’s systems and demanded a report detailing the department’s response by Aug. 3.  

Hobbs also speculated the breach could be tied to the recent resignations of ESA program director Christine Accurso and director of operations Linda Rizzo, though Accurso denied any connection.  

In the letter, Hobbs asked what steps the department is taking to address potential breach of state data privacy law and federal protections under the Family Educational Rights and Privacy Act. She also asked whether Horne had referred the breach to the Attorney General under consumer fraud statutes.  

In a response today, Horne said the breach was a “unique and isolated incident that affected no other users and was corrected right away,” and confirmed the office had not referred the matter to the attorney general as they had already talked to the Arizona Department of Homeland Security.

He also added the resignations of Accurso and Rizzo, “has absolutely nothing to do with any reported data breach.”

On July 13, Arizona Capitol Times’ affiliate publication the Yellow Sheet Report reported a claim from an ESA parent that she was able to access thousands of purchases from ESA parents in the program through her ClassWallet account. One of her five children’s ESA accounts showed a “View All Approvals” tab, which included pages of orders, with student names, home addresses and disability categories, among information about the type of order and receipts and invoices.  

Those allegations mirror the concerns Hobbs expressed in her letter to Horne.  

“These resignations come at the heels of a cybersecurity incident in which thousands of personal information data points…were viewable through the program’s financial management platform, ClassWallet,” Hobbs wrote. “This incident has prompted the Arizona Department of Homeland Security (AZDOHS) to activate the state Incident Response Team to review all details of this situation.” 

Treasurer Kimberly Yee contacted the Arizona Department of Homeland Security on July 14, a day after the Yellow Sheet reported the breach, Hobbs’ spokesman Christian Slater said. 

In a statement from the Treasurer’s Office, Yee said they referred the matter to both the Attorney General’s Office and the Arizona Department of Homeland Security and notified ADE.

Yee said her office “received verbal confirmation from Homeland Security that the breach did not originate with the vendor.”

A spokesman for the Arizona Attorney General declined to comment. The office is in the middle of an ongoing consumer fraud investigation into the program.

ADE put out a statement from ClassWallet CEO Jamie Rosenburg the day after the Yellow Sheet reported the breach earlier this month. 

“The problem has been solved. It was a permission setting error. Once discovered, we took immediate action and corrected the permission setting,” Rosenburg said. “Additionally, we performed a database search and concluded no other users were affected. Therefore, this is an isolated incident to a single user.”  

The parent who initially accessed the breach was not able to view the information again when logging back in. 

In a statement today, a spokesperson for ClassWallet said, “We object to any implication that ClassWallet was at fault in this incident. ClassWallet has fully supported the Arizona Department of Homeland Security in its investigation into the matter, and we look forward to its swift resolution and published results.” 

But in an email to lawmakers alerting them of the breach, Kathy Boltz, another ESA parent, noted this was not the first time an issue like this occurred and cited prior breaches in ClassWallet. In one instance, a breach revealed the names of all ESA account holders and the other made shipping addresses plainly visible. 

“ClassWallet has had breaches again and again. It is gratifying to see Governor Hobbs’ concern for personal information of Arizonans,” Boltz told the Arizona Capitol Times. “Superintendent Horne continues to disregard ESA user concerns.” 

Slater, the governor’s spokesman, declined to comment on whether the Governor’s office or the Arizona Department of Homeland Security has been in contact with the Arizona Attorney General, federal law enforcement or other federal officials concerning the breach, citing the ongoing AZDOHS investigation. 

The letter from the governor comes days after two of the state’s top ESA program administrators suddenly resigned and as ADE and the state Treasurer’s Office prepare to award a new contract to manage the state’s expanded ESA program, which the governor’s office estimated could cost around $940 million this fiscal year.  

Accurso, the former ESA director, did not respond to a request for comment but did respond to Hobbs in a tweet.  

 “The same type of data breach has happened on this platform in the past, even as late as last December. This has nothing to do with resignations. You should review all the investigations and contact the contract holder, the State Treasurer’s office,” Accurso said.  

 ClassWallet was awarded the contract to run the ESA program with no contest in 2019. This time around ClassWallet is seeking the contract alongside Odyssey, Merit International and Student First Technologies. 

The state was set to award the contract in response to a financial management service RFP on July 7 but pushed the deadline back to Aug. 1.   

 Yellow Sheet editor Wayne Schutsky contributed to this report.