Ex-Michigan, Ravens Football Coach Charged with Hacking Athlete Accounts – Source: securityboulevard.com

A former football coach with the University of Michigan and the Baltimore Ravens faces two dozen federal charges, accused of hacking into the databases of more than 100 colleges and universities and downloading the personal and medical data of more than 150,000.

Between 2015 and January 2023, Matthew Weiss (pictured on the right of our featured image) then leveraged the information gained from student-athlete databases and his own internet searches to get access to social media, email, and cloud storage accounts of more than 2,000 of “target” athletes as well as more than 1,300 additional students and alumni from universities across the country, according to the Justice Department.

The 42-year-old Weiss used that access to download “private photographs and videos never intended to be shared beyond intimate partners,” reads a 24-count indictment handed up this week.

He faces 14 counts of unauthorized access to computers and 10 counts of aggravated identity theft. The FBI’s Detroit Cyber Task Force worked with the University of Michigan Police Department in investigating the case.

From the Ravens to Michigan

Weiss worked as an assistant coach for the Baltimore Ravens for more than a decade under head coach John Harbaugh until 2021, when he joined the university’s coaching staff led by Harbaugh’s brother, Jim Harbaugh. Jim Harbaugh is now head coach of the NFL’s Los Angeles Chargers.

Weiss’ alleged criminal activities began while he was with the Ravens.

He was fired two years later as Michigan’s co-offensive coordinator after a report by the Detroit News of Weiss and alleged computer crimes involving the university’s systems. According to the Associated Press, he had failed to cooperate with a police investigation.

After his firing, Weiss at the time said in a statement, “I look forward to putting this matter behind me and returning my focus to the game that I love.”

Skilled with Computers

According to investigators, Weiss used his own technical knowledge and what he gleaned from the internet to gain access to the more than 100 student databases by compromising the passwords of accounts of people with elevated privileges, such as trainers and athletic directors.

He also was able to download passwords athletes used to access the system used by the third-party database maintainer.

The passwords were encrypted, but “Weiss cracked the encryption protecting the passwords, assisted by research he did on the internet,” the 14-page indictment reads. “Through open-source research – and through information that appeared to be from data breaches – Weiss conducted additional research on targeted athletes to obtain personal information such as their mothers’ maiden names, pets, places of birth, and nicknames.”

According to investigators, he also kept notes about the photos and videos he downloaded and at times returned years later to the accounts he’d breached to look for new images.

Most Victims Were Women

“Weiss primarily targeted female college athletes,” the indictment reads. “He researched and targeted these women based on their school affiliation, athletic history and physical characteristics. His goal was to obtain private photographs and videos never intended to be shared beyond intimate partners.”

The indictment, filed in U.S. District Court in Detroit, lists 10 victims, all of whom were referred to as “Jane Doe.”

Keffer Development Services, a Pennsylvania company, maintained the databases. Keffer also uses the name Athletic Trainer System, offering an electronic health record system platform that athletic trainers can use to document and track injuries to their athletes and organizations to do the same with employees. The company claims to work with 600 organizations – including high schools, colleges, outreach programs, and industrial firms – across 48 states and internationally.