By Corinne Murdock
Another data breach in two years has Empowerment Scholarship Account (ESA) holders wondering if their information is secure with the Arizona Department of Education (ADE). This past week, it was discovered that the state’s contracted payment platform for ESA funds, ClassWallet, had allowed users to search for other ESA account holders and view their names and email addresses.
In a letter sent to ESA holders, ESA Program Director of Communications and Engagement Sarah Raybon explained that they became aware of the data breach last Friday. Raybon assured ESA holders that ClassWallet would resolve that feature over the weekend.
“Today, our team became aware of an issue in ClassWallet portal’s search feature that allowed account holders to view the names and email addresses of other account holders,” wrote Raybon. “Upon discovery, we immediately contacted the Treasurer’s Office (who holds the ClassWallet contract) and we spoke to ClassWallet directly. We have been advised that ClassWallet engineers will be working over the weekend to get this fixed.”
During the Arizona State Board of Education’s meeting last week, parents questioned why a violation of federal law was happening again. They pleaded with the members to remedy these issues sooner rather than later. One ESA parent, Kelly Pichitino, admonished ADE for not cleaning up their act and ensuring any contract holders follow federal law after last year’s data breach.
“I would like to know why, for a second time, my child’s name is available for a stranger to view along with my personal information?” asked Pichitino. “[I] would think that the department would invest a little more thought and care, time and accountability into their actions.”
Further public commentary at the meeting also focused on other issues with the ESA system, such as inappropriate or incompetent staff behavior, apparently arbitrary denial of funds for educational needs, little to no communication and transparency, and relentless rule or policy changes.
These issues were also detailed in written comments, which are available here.
This isn’t the first time that ADE has compromised ESA members’ information unintentionally. As Arizona Capitol Times discovered and reported last January, the ADE failed to properly redact the personally-identifying information of all ESA account holders when fulfilling a public records request to three requestors, one of which was a group that actively campaigns against ESAs: Save Our Schools Arizona (SOSAZ).
Exposed information included parents’ first and last names, email addresses, the grade of their student(s), and any disabilities if a particular student had special needs.
The Arizona Department of Education (ADE) downplayed the data breach, saying that only “some” personal information was shared inadvertently.
“In the course of fulfilling a public records request to three individuals, the Arizona Department of Education (ADE) inadvertently disclosed some personally identifiable information belonging to Empowerment Scholarship Account holders,” stated ADE. “ADE redacted the document subject to the public records request but failed to secure the integrity of the redaction prior to sending the data, and the document was able to be manipulated to reveal private information.”