by Traverse Legal, reviewed by Enrico Schaefer - March 27, 2025 - Complex Litigation, Matt Weiss Hacking Scandal
If you think you may have been impacted by the University of Michigan data breach involving former football coach Matt Weiss, now is the time to protect your legal rights. Your privacy, security, login information, and well-being may have been severely compromised. So far, those affected include student athletes at the University of Michigan between 2015 and January 2023 and students at yet-undisclosed other universities during that period. As the investigation into the scandal continues, we should expect the details to become even more disturbing.
This hacking and privacy invasion resulted in the unauthorized access and theft of highly sensitive personal information, and reports are suggesting that intimate photos, videos, medical records, and private communications were accessed and potentially shared by the perpetrator, Matt Weiss. Suppose the criminal indictment against Matt Weiss is proven truthful. In that case, the University of Michigan, the Athletic Department, and the now-defunct Database Security Company, Keffer Development Services, LLC, now out of business, may all have significant culpability for allowing this to occur. By the way, we’ve investigated Keffer Development Services, its owners, and its athletic trainer software system, which is at the center of the unauthorized access allegations. Our law firm knows much more than we can publicly report here about this company, which provided software to schools like the University of Michigan and contained medical and other personal information about athletes, students, and employees. The data security aspect of this system is highly suspect and, without question, should never have remained in place after the company went defunct. The University of Michigan has failed to explain why it would allow the use of software that no longer had the support of the development company because of that company’s insolvency.
If the case is proven in court, student athlete victims will be entitled to significant compensation, including emotional distress, statutory damages under applicable privacy laws, and punitive damages if the current allegations are true. The fact that there has been a criminal indictment of Matt Weiss suggests there is substantial evidence beyond what our lawyers have already uncovered. Understanding your legal rights under Michigan and federal law requires expertise across several databases, security technologies, and unique legal theories.
Traverse Legal, a law firm with nearly 30 years of experience specializing in technology, data privacy, and data breach litigation, is committed to guiding victims through the legal process and maximizing their potential recovery.
Lawsuits are already being filed, and your rights need to be protected. Our data privacy and security attorneys are ready to answer your questions. Contact us for a free consultation. There is no fee if there is no recovery.
Learn about your legal options and how to join the data breach lawsuit.
The information provided in this post is derived from publicly available sources and involves allegations against the University of Michigan, Matt Weiss, and other associated parties. These allegations are currently unsubstantiated and unproven, and the criminal proceedings involving Matt Weiss are ongoing; his guilt or innocence has yet to be determined. Meanwhile, civil lawsuits, including class-action lawsuits, are being initiated to advocate for and protect the rights of potential victims.
In January 2023, Matt Weiss, a former football coach and co-offensive coordinator at the University of Michigan, was indicted on multiple federal charges from a prolonged hacking operation. Between 2015 and January 2023, Weiss allegedly gained unauthorized access to sensitive databases managed by Keffer Development Services, LLC (now an abandoned website), which stored personal and medical data for student athletes at over 100 universities nationwide. Exploiting weak encryption, overprivileged accounts, and inadequate security protocols, Weiss accessed the personally identifiable information (PII) and intimate digital content of more than 150,000 athletes, targeting over 3,300 individual accounts.
Using that information, prosecutors allege: “Weiss began using open-source records to ascertain personal information of specific athletes such as “mother’s maiden name, pets, places of birth and nicknames.” That allowed Weiss “to obtain access to the social media, email, and/or cloud storage accounts of more than 2,000 targeted athletes by guessing or resetting their passwords,” according to the indictment.
“Once he obtained access … Weiss searched for and downloaded personal, intimate photographs that were not publicly shared,” the indictment read.
Weiss is also charged with obtaining similar access, for similar purposes, of an additional 1,300 students and/or alumni from schools across the country.
Source: Ex-Michigan football assistant pleads not guilty to cyber fraud – ESPN
Who else is involved? Keffer Development Services allegedly managed the hacked databases, but it dissolved in 2020. As technology lawyers, we understand better than anyone the tremendous risks that unsupported legacy systems, without updates and patches, present, let alone for systems storing students’ sensitive and private information, including medical information. Despite known security risks alleged to have been flagged in internal audits, the University of Michigan continued using these unsupported database systems, potentially contributing to the extensive scope of the breach. The allegations are that the University of Michigan ignored what would have been obvious red flags and security risks for years.
Keffer Development Services, LLC, was a Michigan-based IT and software development company specializing in database management and custom software solutions primarily for educational institutions. Michael Keffer founded the company in 2011, and it remained in operation until its dissolution in 2020. Among its clients was the University of Michigan Athletic Department, which developed and maintained “SpartanTrac,” a specialized database used to manage sensitive student-athlete information, including academic records, medical clearances, and NCAA compliance data. Based on the criminal indictment, it is clear that many other schools used the Keffer development software.
Here are some screenshots from the Keffer website before the company filed for dissolution. We continue to research the software and database issues in these cases. Interestingly, the specialized software reported in this case does not appear anywhere on the website (as recorded at archive.org). However, since the beginning of Kefra development, it has marketed software identified as the Athletic Trainer System, a package still being used today. It is unclear whether the ATS system is involved in the U of M hacking incident.
Keffer Development Services’ role in the Matt Weiss data breach is significant due to alleged critical security vulnerabilities in the ATS. These vulnerabilities included weak encryption methods, overly permissive account privileges, and the absence of multi-factor authentication, allegedly allowing Weiss unauthorized and prolonged access to confidential athlete data.
Even after Keffer Development Services ceased operations in 2020, the University of Michigan continued using the outdated system without proper security updates or vendor support. This oversight likely exacerbated the risk, enabling continued unauthorized access. Consequently, Keffer Development Services’ security failures may contribute substantially to legal claims against the University of Michigan related to negligence and inadequate protection of student-athlete data.
Am I Eligible to Join a Lawsuit Against the University of Michigan?
You may be eligible to join a lawsuit against the University of Michigan if you are a student-athlete, alumnus, or an individual whose personal data was stored or accessed without authorization in the Matt Weiss data breach between 2015 and January 2023. This includes victims whose intimate digital content, medical records, personal communications, or other sensitive personal information were compromised. UofM has represented back in October 2024 that they sent a letter (as required by law and potentially well after required by law) to each of the 230,000 students whose data was breached.
“On Monday, Oct. 23, in compliance with our legal obligations, we began the process of notifying approximately 230,000 individuals whose sensitive personal data was involved in the incident through postal mail and through notice on our website,” UM spokeswoman Kim Broekhuizen said in a Monday night statement. Hackers gained access to personal info on up to 230,000 individuals, UM says
Types of Damages That May Be Recoverable: The breach’s victims could recover compensation. This includes, but is not limited to:
– Emotional distress resulting from the unauthorized access and distribution of sensitive personal information.
– Sexual damages due to the invasion of intimate privacy.
– Statutory damages provided under specific privacy laws are designed to protect personal information.
– Punitive damages punish the responsible parties and deter similar misconduct.
Understanding Privacy Laws & Protections:
Several privacy laws could apply in this data breach case, including:
– FERPA (Family Educational Rights and Privacy Act): Protects student education records and personally identifiable information from unauthorized disclosure.
– HIPAA (Health Insurance Portability and Accountability Act): Safeguards medical records and personal health information, requiring strict confidentiality measures.
– CFAA (Computer Fraud and Abuse Act): A federal statute that criminalizes unauthorized access to computer systems, databases, and private accounts.
– Michigan-specific privacy statutes: Additional state laws may apply, further defining victims’ rights and potential recovery options in this data breach scenario.
Traverse Legal can help clarify how these laws apply to your situation and assist you in pursuing appropriate legal remedies. Contact us now to get immediate legal support.
You may not realize it, but a data breach can compromise your usernames and passwords across various platforms, including social media, email, cloud services, and other online accounts. Although the University of Michigan is legally required to notify affected individuals of a data breach under state law, many organizations fail to provide timely and detailed notice. Therefore, proactive measures are essential to protect your personal and financial security:
An immediate lawsuit to force the University of Michigan to disclose the circumstances and extent of the hack so that you can protect yourself is currently being prepared for our data breach clients. The goal is to understand the scope of the risk you may be facing. Without this information, it is very difficult to protect yourself and your private information.
It is unclear whether or not a class action will be viable in this circumstance, although this is often one of the remedies available to victims. Irrespective of whether or not a class action is filed and you’re a member of the class, it is always critical to obtain representation on an individual basis. Class action attorneys may not protect your interests. The class action type, structure, and settlement will require attorney approval. You want your attorneys sitting at that table. Traverse Legal can explain the benefits and implications of joining a class-action lawsuit explicitly tailored to the University of Michigan data breach circumstances.
Traverse Legal has nearly three decades of dedicated experience representing clients in complex technology, privacy, and data breach cases. Our proven track record includes successful outcomes in high-profile litigation involving significant data breaches and technology disputes, positioning us uniquely to handle cases involving the University of Michigan data breach.
Our attorneys have been practicing technology law since the birth of the internet back in 1993. We understand technology and regularly advise business clients on data security and data breach notification issues. In other words, we not only know what we’re doing, we’ve been doing it for a long time.
It’s going to take a large team of lawyers, paralegals, and experts to adequately represent you in the case against the University of Michigan and others. U-M has extremely deep pockets, aggressive attorney representation, and is expected to fight hard in order to protect itself. We know who to hire to do a forensic examination designed to protect your legal interests. And more importantly, we know how to work with these experts to protect our clients and their legal rights.
At Traverse Legal, we put the client first. Our commitment to transparency provides full access to your file as well as our task management tool. That means you understand what’s happening at all times in all matters affecting your case. We have handled the largest block of injury victims in several national and global events, far outpacing our competitors on client satisfaction and customer service.
Due to the scale and seriousness of the Matt Weiss data breach, numerous class-action lawsuits will likely be filed against the University of Michigan and the involved individuals and entities. Affected individuals may have the option to participate in a collective legal action. It will take a long time to sort out which, if any, class actions will be viable and whether or not you are a member of any particular class. Therefore, it is essential to ensure you are represented as an individual signing a retainer agreement on a contingency fee basis with a competent law firm that can protect your rights no matter which way the case turns or twists.
Yes, International students affected by the data breach at the University of Michigan can typically join legal actions filed within the United States. Legal rights are not restricted by citizenship or residence status. Traverse Legal can help you understand how to protect your best interests.
Compensation for data breach victims may include:
– Emotional distress
– Damages related to invasion of privacy (including sexual damages)
– Statutory damages under relevant privacy laws
– Punitive damages are intended to penalize responsible parties and deter similar future conduct
– Reimbursement for identity protection services or other out-of-pocket expenses incurred due to the breach
Victims must file their claims within statutory deadlines, known as statutes of limitations. These deadlines can vary depending on the jurisdiction and the specific type of claim. Prompt action is essential, and victims should contact Traverse Legal immediately to ensure their rights are fully protected.
If you attended another institution using the same compromised software accessed by Matt Weiss, you may still have legal claims. A list of schools impacted by the breach will soon be made public. Suppose your data was compromised through Weiss’s unauthorized access at any of these institutions. In that case, you may be eligible to pursue legal action against the University of Michigan, Matt Weiss, and potentially other responsible parties. Traverse Legal can help you determine your eligibility and guide you through your available legal options.
Absolutely. As reported by the Detroit News, you should have received a letter from the University of Michigan notifying you that your data was breached. However, college students typically move around, and many will likely never receive that communication. It will take a long time to determine who will receive compensation and how much they will receive. Your best move is to get representation early and protect your privacy rights if you have a claim. We are happy to work with you while we investigate whether or not you are a victim of this unfortunate data breach scandal.
As a founding partner of Traverse Legal, PLC, he has more than thirty years of experience as an attorney for both established companies and emerging start-ups. His extensive experience includes navigating technology law matters and complex litigation throughout the United States.
This page has been written, edited, and reviewed by a team of legal writers following our comprehensive editorial guidelines. This page was approved by attorney Enrico Schaefer, who has more than 20 years of legal experience as a practicing Business, IP, and Technology Law litigation attorney.
