PHOENIX — The Arizona Department of Homeland Security is investigating an apparent data breach in the online network that processes purchases by families that use Empowerment Scholarship Accounts, according to Democratic Gov. Katie Hobbs and other state officials.
Hobbs disclosed the investigation on Friday in a letter to Republican School Superintendent Tom Horne. She demanded to know what action he had taken to deal with the data breach.
Hobbs' letter came two weeks after the top Empowerment Scholarship Account administrator at Horne's Department of Education said in an email to staff that the department would not alert ESA families or the public to the breach unless the media asked about it.
"Business as usual," Christine Accurso said in an email on July 14 to ADE staff, which ADE released on Friday.
The day before that email, "The Yellow Sheet," a subscription-only Capitol report, had reported on a claim by an ESA parent that she was exposed to information on thousands of other users through her online account with ClassWallet, the company that processes voucher-related payments.
12News has confirmed the information in the Yellow Sheet report.
Accurso abruptly quit last Monday, along with the No. 2 ESA administrator, Linda Rizzo.
Horne said in an interview with 12News after the resignations that Accurso and Rizzo had "done what they needed to do to clean up the mess they inherited." He denied that anything inappropriate had occurred during their tenure.
ClassWallet processes almost half-a-billon dollars in claims for 60,000 ESA families.
According to a statement by ClassWallet's chief executive that was released by Horne, the data breach was "an isolated incident to a single user" and "no other users were affected."
On Tuesday, Arizona state Treasurer Kimberly Yee is expected to award a new contract to manage ESA transactions.
Florida-based ClassWallet has held the contract for four years. ClassWallet and three other companies have bid on the new contract.
"It was appalling, and I know this has happened before," Kathy Boltz, an ESA parent for seven years, said of the data breach. Boltz said she was informed of the breach by other ESA parents.
The ClassWallet system keeps track of financial transactions in an ESA account. Families can get reimbursed for tuition, school-related items, professional services and other needs.
"The system was never designed to protect the data of the students," Boltz said.
"The administration has always left a lot to be desired the whole time we've been using (ESAs)."
Hobbs' letter Friday came at the end of a tough week for the ESA program:
- The top 2 administrators abruptly quit
- Hobbs' office projected a $319 million deficit for the school-voucher program, based on Horne's own estimates of enrollment growth through next June. The state's independent budget analysts have questioned Horne's data.
- Democratic Attorney General Kris Mayes has stepped up her oversight of the program, with a social media post seeking reports of potential fraud.
Arizona was the first state in the country to make every student eligible for vouchers to pay for private or parochial school, or be home-schooled.
The Empowerment Scholarship Account program has grown fivefold, to 60,000 students, since all 1.1 million Arizona students were granted eligibility 11 months ago. Horne has overseen the program's expansion since taking office in January.
Critics have questioned the lack of accountability and transparency built into the Republican-passed bill that cleared the way for the universal expansion.
Hobbs has vowed to curb the voucher program's growth.
Treasurer Yee, whose office oversees the ESA financial services vendor, said in a prepared statement that ClassWallet wasn't to blame for the data breach.
"We have received verbal confirmation from Homeland Security that the breach did not originate with the vendor," Yee said.
"We have also been provided assurances from Homeland Security that the vendor and my office have responded appropriately to the incident. Based on information received, we are not aware of any existing data breach and have confidence that the ESA platform is secure."
Yee said her office "immediately contacted the Arizona Department of Homeland Security" and has referred the matter to the Attorney General's Office.
A spokesman for ClassWallet said the company wasn't to blame for the breach:
"We object to any implication that ClassWallet was at fault in this incident. ClassWallet has fully supported the Arizona Department of Homeland Security in its investigation into the matter, and we look forward to its swift resolution and published results."
Officials at the Arizona Department of Homeland Security could not be reached for comment.
Arizona Politics
Get the latest Arizona political news on our 12News YouTube playlist here.