Full Report
Federal prosecutors said Matthew Weiss, a former assistant football coach at the University of Michigan, learned hacking skills to breach online databases, primarily targeting information about "female college athletes."
Analysis Summary
# Incident Report: Hacking of Collegiate Athlete Databases by Former University of Michigan Coach
## Executive Summary
A former assistant football coach, Matthew Weiss, was indicted for persistently hacking into the student athlete databases of over 100 colleges and universities maintained by a third-party vendor between 2015 and January 2023. The activity resulted in the unauthorized access and exfiltration of medical, personal, and private media data belonging to approximately 150,000 athletes, primarily targeting women. The compromise was discovered internally by the University of Michigan leading to his termination, followed by federal indictment.
## Incident Details
- Discovery Date: January 2023 (Reported fraudulent activity at UMich on Jan 5, 2023)
- Incident Date: Activity spanned from 2015 to January 2023
- Affected Organization: Over 100 colleges/universities (Data stored via Keffer Development Services)
- Sector: Higher Education (Sports/Athletics)
- Geography: United States
## Timeline of Events
### Initial Access
- Date/Time: Ongoing from 2015 up to January 2023
- Vector: Exploitation of vendor platform vulnerabilities, leaked credentials, and password cracking.
- Details: Gained elevated access credentials (similar to trainers/ADs) on Keffer Development Services (Athletic Trainer System) by compromising about 150 accounts. Also used information gleaned from known data breaches to access athlete social media/cloud accounts.
### Lateral Movement
- Details: The scope implies movement across the vendor's shared database across 100+ institutions. Additionally, the attacker accessed individual athlete accounts on social media, email, and cloud storage for specific targets (approx. 2,000 athletes targeted for private media).
### Data Exfiltration/Impact
- Details: Downloaded the personal information and medical data of over 150,000 athletes. Hacked into the private accounts (social media, email, cloud) of over 2,000 target athletes, primarily female athletes, to obtain private photographs and videos.
### Detection & Response
- Date/Time: January 2023
- Details: The University of Michigan detected "fraudulent activity involving someone accessing university emails accounts without authorization" on January 5, 2023. Weiss was placed on leave and subsequently fired in January 2023 pending the police investigation. Federal prosecutors filed a 24-count indictment in late 2023/early 2024.
## Attack Methodology
- Initial Access: Exploiting vulnerabilities in universities' account authentication processes; using leaked login information from external data breaches to target athlete accounts.
- Persistence: Implied by the extended timeline (2015-2023) and continued tracking of victims.
- Privilege Escalation: Compromised approximately 150 accounts on the Keffer Development Services platform, obtaining elevated access levels intended for athletic staff.
- Defense Evasion: Not explicitly detailed, but the long duration suggests success in evading detection by security monitoring systems until internal reporting at one institution.
- Credential Access: Cracked encryption protecting passwords used by athletes (a tactic learned via online research); utilized credentials found in pre-existing data breaches.
- Discovery: Targeted research based on school affiliation, athletic history, and physical characteristics to select victims.
- Lateral Movement: Accessed shared athlete database hosted by Keffer; accessed individual third-party accounts (social media/cloud) of specific athletes.
- Collection: Gathered personal data, medical records, private photographs, and videos. Maintained notes on certain women.
- Exfiltration: Downloaded large volumes of data from the central vendor database; transferred media from individual accounts.
- Impact: Severe privacy violation, exposure of sensitive medical information, and non-consensual dissemination/access to private media.
## Impact Assessment
- Financial: Charges filed include 14 counts of unauthorized access to computers (up to 5 years each) and 10 counts of aggravated identity theft (2 years each). Financial costs to the vendor/universities are not specified.
- Data Breach: ~150,000 athletes' personal and medical data; private media/communications of ~2,000+ athletes.
- Operational: Disruption at the University of Michigan leading to employee termination; operational security review likely required for Keffer Development Services.
- Reputational: Significant reputational damage to the University of Michigan, Keffer Development Services, and college sports programs generally.
## Indicators of Compromise
* **Network Indicators:** (None explicitly listed, as the attacker was an insider/privileged user utilizing legitimate access mechanisms initially, though system authentication logs would be key.)
* **File Indicators:** (Not applicable/specified in the description)
* **Behavioral Indicators:** Unauthorized access patterns on the Keffer system; accessing specific data sets inconsistent with standard job duties; suspicious access to athlete email/cloud accounts.
## Response Actions
- Containment: University of Michigan terminated the employment of Matthew Weiss in January 2023.
- Eradication: Unspecified, but likely involved immediate revocation of all vendor platform credentials and a shift in authentication protocols.
- Recovery: Dependent on downstream effects for the 100+ institutions; likely involved mandatory password resets and monitoring of breached personal accounts.
## Lessons Learned
- Over-reliance on a single third-party vendor (Keffer Development Services) created a single point of failure for highly sensitive data across numerous institutions.
- The ability to "crack encryption" and use data breach dumps highlights the extreme danger of non-unique or weak athlete passwords.
- Insider threat potential was realized, leveraging trusted access levels for malicious purposes over many years.
## Recommendations
- Implement mandatory, organization-wide multi-factor authentication (MFA) for all access to vendor platforms and athlete-related systems, regardless of access level.
- Conduct immediate security audits of third-party vendors like Keffer Development Services, specifically checking compliance and segmentation between institutional data.
- Enhance network monitoring to detect anomalous behavior patterns, such as an individual accessing data vastly outside their normal scope (e.g., accessing medical records across 100+ unrelated institutions).
- Educate or mandate strong password policies for athletes, discouraging the reuse of passwords between essential services (like university portals) and personal applications (like social media).