AZDOHS concludes former ADE employee is behind data leak of ESA families’ information

Listen to this article

The Arizona Department of Homeland Security concluded a former Arizona Department of Education staffer is behind a data leak of Empowerment Scholarship Account (ESA) families’ personal information.

In a report on the leak, AZDOHS found breach of vendor ClassWallet’s system stemmed from a permission setting switch by a former ESA administrator at the department.

While not explicitly named by AZDOHS, evidence presented in the executive summary released to the public appears to implicate former ESA Director Christine Accurso or Linda Rizzo, who was the ESA director of operations.

Accurso and Rizzo resigned the same day the AZDOHS incident response team met with members of ADE.

Arizona Superintendent of Public Instruction Tom Horne and an AZDOHS spokesman declined to say which employee is referenced in the full report.

ADE put out a statement from Horne this morning naming Accurso specifically but declining to speculate on her reason for leaving.

“The Arizona Department of Education had no way to know the reason for the resignation of Christine Accurso other than her own statements in her letter of resignation,” Horne said in the statement.

However, later in the day he told the Arizona Capitol Times that the department had “some indications,” but “we didn’t reach the conclusion that it was one of the people that resigned until the report came out today.”

An executive summary from AZDOHS details the timeline of the data leak and subsequent response by ADE, the state treasurer’s office, ClassWallet and the Arizona Department of Homeland Security.

On July 3, an ESA parent accessed the approval queue of all pending orders, which included full names of students and parents, associated email addresses and phone numbers, home shipping addresses, the items purchased, the amount spent per order and the application type.

The summary noted, “application type could be used to infer that the student may have a learning disability.”

The parent did not contact ClassWallet, but on July 11, an ADE employee notified the company of a social media post detailing the parent’s access to the approval queue. ClassWallet corrected the account privileges the same day.

Upon further investigation, ClassWallet concluded the leak originated from an ADE employee account.

The employee conducted a search for the student’s account and viewed account details where they could switch the user permissions.

ClassWallet notified the treasurer’s office that an ADE employee account had been implicated in the leak. The treasurer’s office instructed ClassWallet to “refrain from communicating” with ADE until further notice and referred the matter to the Arizona Security Operations Center and the AZDOHS.

On July 21, AZDOHS spoke with ADE staff, and members of AZDOHS and ADE met on July 24 to discuss the findings in the investigation.

By 4 p.m., the ADE employee at the center of the investigation had resigned, according to the summary.

Accurso and Rizzo are the only ADE employees who “separated” from the department on July 24, according to records provided by ADE.

After the resignation, investigators then accessed the former employee’s email, where they found communications between the employee and the ESA parent whose account permissions were changed days before the parent was first able to access the log of approvals.

Horne told the Arizona Capitol Times the resignations were not at the request of anyone in the department.

“When they resigned, they were doing it on their initiative. I had not asked them to resign, and no one else had,” Horne said. He said if someone had suggested or asked Accurso or Rizzo to resign, he would have known. “That’s just our culture here,” Horne said.

Accurso and Rizzo did not immediately respond to requests for comment.

AZDOHS sent the report to ADE, the treasurer’s office, the Governor’s Office and the Attorney General’s Office but declined to release it publicly, citing security concerns.

The full report includes “recommendations to enhance security of the ClassWallet Platform, update training, policies, and procedures, and conduct regular auditing and access reviews to ensure an error of this type doesn’t occur in the future.”

The report also comes the same day the treasurer’s office is slated to announce the contract award for the financial management vendor for the ESA program. ClassWallet is one of the four bidders.

A spokesperson for the treasurer’s office said the contract award would be posted on the site by 5 p.m. today.