Former college football coach Matthew Weiss has been charged with computer-hacking related crimes that involve downloading sensitive data about over 150,000 student athletes from more than 100 colleges and universities. The Justice Department announced the charges against Weiss, a 42-year-old former co-offensive coordinator at the University of Michigan, on Thursday.
Weiss allegedly used this stolen data to break into the social media, email, and cloud storage accounts belonging to over 2,000 athletes. According to an indictment released by the Justice Department, Weiss primarily targeted female college athletes based on their school affiliation, athletic history, and physical characteristics. His goal was to obtain private photographs and videos that were never intended to be shared beyond intimate partners.
Federal investigators say Weiss conducted the hacking activities from 2015 to January 2023, when he was put on leave from the football team as campus police began to investigate suspected computing-hacking crimes. The investigation revealed that Weiss hacked into a third-party vendor called Keffer Development Services, which operates the Athletic Trainer System, a database that stores medical information on student athletes.
Weiss obtained access to these databases by compromising the passwords of accounts with elevated levels of access, such as those held by trainers and athletic directors. He was also able to download the passwords used by the athletes themselves, which were encrypted but could be decrypted by researching how to do so online.
"Using the combined information that he obtained from the student athlete databases and his internet research, Weiss was able to obtain access to the social media, email, and/or cloud storage accounts of more than 2,000 targeted athletes by guessing or resetting their passwords," the court document states.
Allegedly, Weiss also broke into the online accounts for 1,300 other students and alumni. In some instances, he exploited vulnerabilities in universities' account authentication processes to gain access to these accounts.
Weiss faces 14 counts of unauthorized access to computers and 10 counts of aggravated identity theft, which carries a maximum penalty of 90 years in prison if he's convicted of all charges.
Keffer Development Services, the vendor whose database Weiss hacked into, did not immediately respond to requests for comment. The University of Michigan has also declined to comment on the matter.
This case highlights the growing concern about cybersecurity and data protection in higher education. As institutions of learning continue to collect sensitive information about their students, it's essential that they prioritize protecting this data from unauthorized access.