BY: Lisa Esser-Weidenfeller | IN: ,

On March 20, 2025, federal prosecutors in the Eastern District of Michigan indicted Matt Weiss on 14 counts of unauthorized access to computers and 10 counts of aggravated identity theft. The indictment alleges that between 2015 and 2023, Weiss illegally accessed a third-party vendor’s databases containing personal information about student-athletes at more than 100 colleges and universities.

Once he broke into the database, Weiss allegedly started down a path of targeted exploitation. He downloaded the personally identifiable information and medical data of more than 150,000 student-athletes and used this information to access thousands of individuals’ social media, email, and cloud storage accounts. He also downloaded personal, intimate digital photographs and videos belonging to student-athletes, other students, and alumni.

Weiss faces a potential maximum sentence of five years in prison on each of the 14 charges of unauthorized access and two years on each of the 10 counts of identity theft, plus fines, fees, and other penalties.

Lawsuits Being Filed Seeking to Hold the University of Michigan and Others Responsible

Former student-athletes are starting to file lawsuits against the University of Michigan and other institutional defendants for their part in Weiss’s hacking. Weiss’ actions are alleged to have started in 2015 when he worked with the Baltimore Ravens and head coach John Harbaugh. His alleged illegal actions continued when he moved in 2021 to the University of Michigan, working as a quarterback coach with Jim Harbaugh. 

In December 2022 the University of Michigan received information that Weiss was “inappropriately accessing” computer accounts in the Wolverine football offices. After an investigation by the Michigan State Police, the University fired Weiss in January 2023, but no criminal charges were brought at that time.  The University took no public action to address any potential data breaches or to inform its students that their accounts may have been hacked and private sensitive information exposed.

Now, the University of Michigan is facing lawsuits by former athletes concerned that their private information has been exposed. The University is accused of failing to properly supervise and monitor Weiss. Keffer Development Services, a third-party vendor that keeps medical data of student athletes, is also being named in these lawsuits as Weiss used the Keffer system to illegally access some 150,000 athlete accounts by using elevated access afforded to athletic directors and trainers.

The lawsuits claim that Weiss’s hacking was part of a larger pattern of misconduct that the University should have prevented or addressed more thoroughly. They allege that when students and staff raised concerns about abuse and privacy violations, Michigan officials either ignored them or failed to take meaningful action, creating an environment in which student-athletes felt unsafe and unprotected.

"*" indicates required fields

Legal Grounds for the Lawsuit

This news comes amid increasing scrutiny of how universities handle misconduct involving its athletic staff. Several high-profile cases have exposed systemic failures at major universities in recent years. Again and again, these cases describe situations where reports of abuse or privacy violations were either dismissed or downplayed by university officials.

Here, those that have been hacked may be able to hold the University, Keffer Development Services and others liable for invasion of privacy, negligence, and failing to protect student-athletes from harm.  In cases like this, plaintiffs often argue that universities have a legal duty to protect their students from foreseeable harm. If they can show that Michigan officials were aware (or should reasonably have been aware) of Weiss’ misconduct but failed to act, the University could be held liable for damages. 

These cases may also raise questions about the University’s policies on digital security. 

If a high-ranking staff member could access sensitive, private information without permission, it could indicate broader weaknesses in Michigan’s and Keffer’s cybersecurity protocols.

Are You Affected by the Weiss Data Breach?

In the coming weeks, those individuals who had their accounts hacked will be receiving a notice from the United States Attorney’s Office Victim/Witness Department. If you or a loved one receives such notice, please contact Sommers Schwartz today for a free, no-obligation consultation. Lisa Esser-Weidenfeller and Richard Groffsky and their legal team have a proven record of success. They can help you understand your options for pursuing justice and compensation.

In addition to compensating victims, a civil lawsuit could lead to policy changes that improve protections for student-athletes, including more vigorous oversight of coaching staff and better security measures for personal data. High-profile cases like this can inspire others to share their stories and seek justice.  Rest assured any lawsuit can be brought under a Jane Doe or John Doe anonymity so that your identity is protected.

Previous
Main
Previous
Lisa Esser-Weidenfeller

Lisa Esser-Weidenfeller represents injury victims in personal injury and medical malpractice claims. She also represents individuals in cases against those who have committed horrific acts of sexual assault.

POPULAR

What Railroaders Need to Know Before Filing a FELA Lawsuit

| 9 minutes read

Not on the Label: Berberine Supplements May Contain Only a Fraction of the Stated Amounts

| 5 minutes read

DBusiness Names Four Sommers Schwartz Litigators to 2017 “Top Lawyers” List

| 2 minutes read

CATEGORIES

 

Related Posts