Full Report
Matthew Weiss, the former Co-Offensive Coordinator and Quarterbacks Coach at the University of Michigan, has been indicted on serious charges related to unauthorized access to computers and aggravated identity theft. Weiss, aged 42 and a resident of Ann Arbor, Michigan, faces a 24-count indictment that includes 14 counts of unauthorized access to computers and 10 counts of aggravated identity theft. The indictment was announced by Acting U.S. Attorney Julie A. Beck, with support from Cheyvoryea Gibson, Special Agent in Charge of the FBI Detroit Field Office. Unauthorized Access to Student-athlete Databases The charges stem from Weiss’s alleged activities between 2015 and January 2023, during which time he is accused of illegally accessing confidential data stored by a third-party vendor managing student-athlete databases for over 100 colleges and universities. Through these unauthorized means, Weiss is believed to have accessed and downloaded sensitive personal information and medical records of over 150,000 athletes. In addition to the unauthorized access of student data, the indictment reveals that Weiss used the obtained information, combined with his own internet research, to infiltrate the online accounts of more than 2,000 student-athletes. His activities also extended to an additional 1,300 students and alumni from various universities across the United States. These accounts included social media, email, and cloud storage platforms. Weiss is accused of downloading private and intimate photos and videos from these accounts—content that was never meant to be publicly shared. Acting U.S. Attorney Julie A. Beck emphasized the seriousness of the charges, stating, “Our office will move aggressively to prosecute computer hacking to protect the private accounts of our citizens. We stand ready with our law enforcement partners to bring those who illegally invade the privacy of others to justice.” Details into the Investigations FBI Special Agent Cheyvoryea Gibson echoed these sentiments, highlighting the extensive investigative efforts involved in the case. “Today’s indictment of Matthew Weiss underscores the commitment and meticulous investigative efforts of our law enforcement professionals,” said Gibson. “The FBI Detroit Cyber Task Force, in close collaboration with the University of Michigan Police Department, worked relentlessly on this case to safeguard and protect our community.” If convicted on all counts, Weiss faces a maximum penalty of five years in prison for each count of unauthorized access to computers. Additionally, each count of aggravated identity theft carries a potential penalty of two years in prison. Notably, a conviction for aggravated identity theft mandates a two-year mandatory minimum sentence, which must be served consecutively to any other sentence imposed for the underlying charges. Conclusion The case is still in its early stages, and Weiss, like any defendant, is entitled to the presumption of innocence unless proven guilty beyond a reasonable doubt. However, the indictment presents a disturbing picture of the misuse of technology and the violation of individuals’ privacy. This case serves as a reminder of the risks associated with unauthorized access to personal data and the potential for identity theft, which can have long-lasting consequences for victims. The prosecution of Weiss is being led by Assistant U.S. Attorneys Timothy Wyse and Patrick Corbett, with the investigation being conducted by the Federal Bureau of Investigation. The case will continue to unfold, and authorities are likely to pursue further action to ensure that those responsible for identity theft and unauthorized access to personal data are held accountable.
Analysis Summary
# Incident Report: Unauthorized Access and Identity Theft by Former University Employee
## Executive Summary
A former University of Michigan Football Coach, identified as Weiss, has been indicted on charges of unauthorized access to computer systems and aggravated identity theft. The incident centers around the misuse of technology to violate the privacy of individuals, though specific details on the attack vectors, timeline, and full scope of data compromised are limited due to the nature of the indictment announcement. The case is currently under investigation by the FBI, aiming to hold the individual accountable for data privacy violations.
## Incident Details
- Discovery Date: Not explicitly stated (Implied close to indictment date)
- Incident Date: Not explicitly stated (Occurred prior to indictment)
- Affected Organization: University of Michigan (Implied)
- Sector: Education / Athletics
- Geography: Not explicitly stated (Related to University of Michigan facilities/systems)
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Unauthorized access using credentials or exploiting system vulnerabilities (Implied through legal charges)
- Details: The individual gained unauthorized access to University computer systems.
### Lateral Movement
- Details: No information provided regarding internal network movement.
### Data Exfiltration/Impact
- Details: The activity involved identity theft, suggesting unauthorized access and potential misuse or theft of personal data associated with victims.
### Detection & Response
- Detection: Investigation conducted by the University of Michigan Police Department and the Federal Bureau of Investigation (FBI).
- Response Actions: Legal indictment filed against the former coach.
## Attack Methodology
*Note: Since this is a legal indictment summary, the Kill Chain methodology is inferred from the charges.*
- Initial Access: Unauthorized access to university [computers].
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed, implied legitimate or stolen access was used for unauthorized entry.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: Implied collection of data necessary for identity theft.
- Exfiltration: Implied unauthorized transfer or misuse of collected data to facilitate identity theft.
- Impact: Identity theft and violation of user privacy rights.
## Impact Assessment
- Financial: Potential financial harm to victims due to identity theft; prosecution costs.
- Data Breach: Data relevant to identity theft (specific volume/type unknown).
- Operational: Minimal operational impact described, as the focus is the legal outcome.
- Reputational: Negative impact stemming from the revelation of a former coach abusing access privileges.
## Indicators of Compromise
- Network indicators: None provided (System access involved).
- File indicators: None provided.
- Behavioral indicators: Unauthorized access pattern leading to identity theft charges.
## Response Actions
- Containment measures: Not detailed, but implied cessation of access following investigation.
- Eradication steps: Not detailed.
- Recovery actions: Authorities (FBI, UMPD) worked to safeguard the community and pursue legal accountability.
## Lessons Learned
- Key takeaways: Insider threat, even from former trusted employees, remains a significant risk, particularly when access privileges are not adequately revoked.
- What could have been done better: Need for stringent, immediate offboarding procedures to revoke all system access upon departure.
## Recommendations
- Prevention measures for similar incidents: Implement stronger Role-Based Access Control (RBAC) policies. Mandate regular audits of access permissions for former employees and contractors. Ensure timely password resets and deactivation of accounts upon separation.