A former University of Michigan football coach has been indicted for carrying out a nearly decade-long hacking campaign targeting over 100 U.S. colleges and universities, compromising sensitive medical records and personal accounts of more than 150,000 student athletes.
The scheme, allegedly orchestrated by 42-year-old Matthew Weiss, involved unauthorized access to databases maintained by a third-party athletic medical software provider and the targeting of female athletes for exploitation.
Decade of exposure
According to the 15-page federal indictment filed yesterday in the Eastern District of Michigan, Weiss exploited systemic weaknesses in access control and password security to infiltrate systems managed by Keffer Development Services, a Pennsylvania-based software vendor that provides injury and health tracking solutions for athletic programs across 48 states. The breached databases contained not only medical records but also personally identifiable information (PII), account credentials, and in some cases, private media files.
Weiss is charged with 14 counts of unauthorized access to protected computers and 10 counts of aggravated identity theft. Prosecutors say he initiated his hacking activity as early as 2015, and continued well into his tenure as co-offensive coordinator at the University of Michigan, which began in 2021. He was fired in January 2023 following an internal university investigation into suspicious access to email systems.
The indictment reveals that Weiss leveraged multiple methods to gain access, including:
- Cracking encrypted passwords used by student-athletes and staff, enabling privileged access to protected systems.
- Exploiting vulnerabilities in authentication mechanisms at universities.
- Using credentials leaked in prior data breaches to log into athletes’ social media, cloud storage, and email accounts.
150,000 students compromised
Weiss’s motivations, prosecutors allege, were not financial but voyeuristic. He specifically targeted female college athletes, selecting victims based on “school affiliation, athletic history, and physical characteristics.” The indictment describes how Weiss maintained records on individuals and, in some cases, revisited previously compromised accounts months or even years later to check for new private content.
The extent of the breach is massive:
- Over 150,000 individuals had their health or personal data compromised.
- More than 100 educational institutions were affected.
- 2,000+ athletes had their personal accounts hacked.
- 1,300 additional students and alumni were also targeted.
Keffer Development Services, also known as Athletic Trainer System (ATS), facilitates injury documentation and recovery tracking for high school and college athletic departments. While the company claims HIPAA and FedRAMP compliance, the indictment raises serious concerns about its ability to secure privileged user credentials — particularly those used by athletic trainers and directors, which Weiss allegedly exploited for administrative-level access.
Weiss reportedly continued his hacking while employed in high-profile football programs, including his prior role with the NFL’s Baltimore Ravens from 2009 to 2020.
If convicted, Weiss faces a maximum penalty of 5 years per hacking charge and 2 years per aggravated identity theft count.
Steam Removes “Sniper: Phantom’s Resolution” After Users Find Malware in Demo
Leave a Reply