State schools chief Tom Horne responded expeditiously and with extreme snark to a letter released on Friday by Governor Hobbs regarding a minor data issue involving a single user of the Empowerment Scholarship Account (ESA) program.
In his biting response to the governor, Horne assured her that the issue had been resolved and concluded, “I beat your six day deadline by six days.”
The Department of Education also released part of the response the Arizona Department of Education (ADE) received on July 14 from ClassWallet CEO Jamie Rosenburg:
“The problem has been solved. It was a permission setting error. Once discovered, we (ClassWallet) took immediate action and corrected the permission setting.
Additionally, we performed a database search and concluded no other users were affected. Therefore, this is an isolated incident to a single user.”
Hobbs wrote Horne:
On July 24, 2023, it was reported that the Director of the Empowerment Scholarship Account (ESA) program at the Department of Education, Christine Accurso resigned. Additionally, reporting on July 25, 2023 indicated that Linda Rizzo, another high-ranking ESA program administrator, also resigned.
These resignations come at the heels of a cybersecurity incident in which thousands of personal information data points, including student names, and disability categories, were viewable through the program’s financial management platform, ClassWallet. This incident has prompted the Arizona Department of Homeland Security (AZDOHS) to activate the state Incident Response Team to review all details of the situation.
As students and parents prepare for a new school year, the sudden and unexpected departures of Director Accurso and Linda Rizzo raise concerns and questions about the administration of the ESA voucher program and the protection of student data under your supervision.
In addition to your cooperation with AZDOHS, pursuant to Article V, § 4 of the Arizona Constitution and A.R.S. 41–101 (A) (10), I hereby demand a special report in writing by August 3, 2023, that includes the answers to the following questions.
Hobbs’ questions:
Q 1) How is your administration responding to the data breach that occurred through ClassWallet, and what actions are being taken to prevent similar a similar event in the future?
Q 2) How have ESA parents been notified of the unauthorized data disclosure of their children’s personal information?
Q 3) What steps is your administration taking to address any potential violations of the Family Educational Rights and Privacy Act’s (FERPA) provisions on release of education records and disclosure consent requirements?
Q 4) What steps is your administration taking to address any potential violations of State statutes relating to student data privacy including, without limitation ARS §§15–1045 and 15–1046?
Q 5) Have you referred this matter to the Attorney General for investigation under the consumer fraud statutes as contemplated in ARS §15–1046 (G)? If not, please explain whether and when you intend to do so.
Horne’s answers:
This is the report you requested.
The first point to make is that the decision of Christine Accurso and her assistant, who came on to straighten out the mess caused by the previous administration, and when that was accomplished, left to go on to other things, has absolutely nothing to do with any reported data breach.
We answer your questions in the order that they were propounded:
1. Our office contacted ClassWallet, the program’s financial vendor to notify them of the purported breach. We sent an email to ClassWallet telling them to either fix the problem or shut down the processing of all transactions. ClassWallet informed us that they had solved the problem. After that, we got a message from the Office of the State Treasurer that we did not have authority to request the stopping of processing of transactions because the contract was not between the Department of Education and ClassWallet, but it was between the Office of the State Treasurer and ClassWallet. ClassWallet sent us an email, which is attached as an exhibit to this letter. It stated in part:
“The problem has been resolved. It was a permission setting error. Once discovered, we (ClassWallet) took immediate action and corrected the permission setting.
Additionally, we performed a database search and concluded no other users were affected. Therefore, this is an isolated incident to a single user.”
2. Parents were not notified because of the finding that it was a unique and isolated incident that affected no other users and was corrected right away.
3. See answer to number two.
4. The Department of Homeland Security in your own office is conducting an investigation. They met with officials in our office. Since the department of homeland security is part of your office, we would have thought you would have checked with them before writing your letter that is full of wild exaggerations.
5. No. That would be a matter for your own department of homeland security which again, we are surprised you did not check with.
I beat your six day deadline by six days.
Treasurer Kimberly Yee confirmed that the data breach was limited and proper authorities had been advised of the matter:
“As background, my office contracts with financial service firms and companies to meet the banking and financial service needs of state agencies. As such, the ESA program is contracted via my office, but the day-to-day management of the ESA program is the sole responsibility of the Arizona Department of Education.
As the contract administrator, my office was first made aware of a data breach earlier this month. We immediately notified our office’s outside legal counsel, who then referred the matter to the Arizona Attorney General’s Office. My office also immediately contacted the Arizona Department of Homeland Security and has adhered to all necessary protocols for identifying and, with the assistance of cyber security professionals, immediately responding to, stopping, and mitigating the breach. My office’s outside counsel also immediately notified the Arizona Department of Education of the referrals to the Attorney General and Homeland Security.
We have received verbal confirmation from Homeland Security that the breach did not originate with the vendor. We have also been provided assurances from Homeland Security that the vendor and my office have responded appropriately to the incident. Based on information received, we are not aware of any existing data breach and have confidence that the ESA platform is secure.
At this time, we will defer to the Arizona Department of Homeland Security and await its final findings.”