Former Michigan football coach indicted in hacks of athlete databases of more than 100 colleges

A former University of Michigan assistant football coach was charged Thursday by federal prosecutors with hacking into the student athlete databases of more than 100 colleges and universities and accessing the medical information of about 150,000 people.

The Justice Department unveiled a 24-count indictment of 42-year-old Matthew Weiss, who served as co-offensive coordinator for the university’s famed team for two seasons after working in minor roles for the NFL’s Baltimore Ravens.

Acting U.S. Attorney Julie Beck announced the charges, accusing Weiss of gaining unauthorized access from 2015 to January 2023 to student athlete databases of more than 100 colleges and universities that were maintained by third-party vendor Keffer Development Services. Michigan hired Weiss in 2021 and fired him in January 2023.

Weiss allegedly downloaded the personal information and medical data of more than 150,000 athletes. In addition to obtaining health information of students, he also hacked into the “social media, email, and/or cloud storage accounts of more than 2,000 target athletes,” as well as another 1,300 students and alumni from universities across the country, prosecutors said.

“Weiss primarily targeted female college athletes. He researched and targeted these women based on their school affiliation, athletic history and physical characteristics,” the indictment said. “His goal was to obtain private photographs and videos never intended to be shared beyond intimate partners."

He allegedly kept notes on certain women and continued tracking them, sometimes returning to breached accounts months or years after. Prosecutors believe he compromised the passwords of about 150 accounts on Keffer Development Services that gave him elevated levels of access typically offered to trainers and athletic directors.

Prosecutors claimed Weiss "cracked the encryption" protecting passwords used by athletes themselves — a tactic he learned through "research that he did on the internet." He also searched through data breaches to find leaked login information for certain athletes in order to access their accounts on social media. 

Weiss also "exploited vulnerabilities in universities' account authentication process to gain access to the accounts of students or alumni." Michigan and Westmont College are the only schools named as having students or alumni whose information was accessed. 

Keffer Development Services, which also goes by the name Athletic Trainer System, did not respond to requests for comment. 

The Pennsylvania-based software company runs a platform that allows trainers to document injuries to thousands of athletes at the high school and college level. It claims to be compliant with several federal data security regulations, including HIPAA and FedRAMP. Keffer says it works with 600 organizations across 48 states. 

Weiss was charged with 14 counts of unauthorized access to computers and 10 counts of aggravated identity theft. He faces five years maximum for each hacking charge and two years for each identity theft charge. 

“Our office will move aggressively to prosecute computer hacking to protect the private accounts of our citizens,” Beck said.

Cheyvoryea Gibson, Special Agent in Charge of the FBI in Michigan, added that the FBI Detroit Cyber Task Force worked closely with the University of Michigan Police Department on the case.

The University of Michigan declined to comment on the indictment, directing all questions to the Justice Department. The university also shared a statement from 2023 when they announced the firing of Weiss. 

“After a review of University policies, the athletic department has terminated the appointment of co-offensive coordinator/quarterbacks coach Matt Weiss. Consistent with university policy, we will have no further comment on this personnel matter,” the spokesperson said.

Before joining Michigan University in 2021, Weiss worked for the Ravens dating back to 2009. The Ravens and the NFL did not respond to requests for comment about Weiss, who allegedly conducted the hacking of college databases while working for the team.

In January 2023, Michigan placed Weiss on leave, telling ESPN that the school was investigating a "report of computer access crimes" that took place at the team facility in December 2022. 

The university runs a daily crime log that shows on January 5, 2023 an “employee reported fraudulent activity involving someone accessing university emails accounts without authorization.” 

“Upon further investigation, It was found that a crime may have been committed,” the log said.