The Arizona Department of Homeland Security released a report confirming speculation that the former director of the state’s school voucher program was responsible for a data breach that occurred last year.
Initially, the department only provided an investigative summary of the breach, released in August. That summary implicated an unnamed Department of Education administrator in a breach that gave one voucher parent unauthorized access to other families’ data.
Christine Accurso, the former director of the Empowerment Scholarship Account program, and Linda Rizzo, the program’s former operations director, both resigned as a DHS incident response team investigated the breach — leading to speculation either could be the unnamed administrator in the report.
At the time, state Superintendent of Public Instruction Tom Horne said Accurso’s resignation had nothing to do with the data breach. But Horne later told Capitol Media Services that Accurso was implicated in the report, though it remained unclear to what degree she was involved in exposing families’ data.
But the latest report, prepared by the Department of Homeland Security in July but only released this week in response to a public records request, explicitly states Accurso’s account and computer were used to change the permission settings in a financial management program that led to the breach.
“The Arizona Department of Education was able to confirm that the IP address used to access Christine Accurso’s account in ClassWallet on 30 June 2023, [redacted], was linked to an Arizona Department of Education laptop that was registered to Christine Accurso,” according to the report.
And the new report specified there was no indication that someone else obtained unauthorized access to Accurso’s account and that she remained in control of the account at the time the permission setting change occurred.
“Log reports provided by ClassWallet and the Arizona Department of Education, including emails discovered in Christine Accurso’s inbox, show Christine Accurso’s ClassWallet account was under her control and had changed the access privileges for the ESA account of [redacted], and therefore [redacted] and [redacted]’’s account privileges,” according to the report.
Shortly before Accurso resigned in July, she told an Tom Considine, Arizona’s chief privacy and compliance officer, that she didn’t know how to change the permission settings that led to the breach. She never met with investigators again following her resignation.
Accurso did not respond to a request for comment.
In December, Arizona Attorney General Kris Mayes confirmed her office is investigating the incident.