If you're a victim of the University of Michigan Matt Weiss hacking scandal, discover your legal rights, options for compensation, and how Traverse Legal's expertise in data privacy, security, and forensics makes our law firm different.
If you think you may have been impacted by the University of Michigan data breach involving former football coach Matt Weiss, now is the time to protect your legal rights. Your privacy, security, login information, and well-being may have been severely compromised. So far, those affected include student athletes at the University of Michigan between 2015 and January 2023 and students at yet-undisclosed other universities during that period. As the investigation into the scandal continues, we should expect the details to become even more disturbing.
This hacking and privacy invasion resulted in the unauthorized access and theft of highly sensitive personal information, and reports are suggesting that intimate photos, videos, medical records, and private communications were accessed and potentially shared by the perpetrator, Matt Weiss. Suppose the criminal indictment against Matt Weiss is proven truthful. In that case, the University of Michigan, the Athletic Department, and the now-defunct Database Security Company, Keffer Development Services, LLC, now out of business, may all have significant culpability for allowing this to occur. By the way, we've investigated Keffer Development Services, its owners, and its athletic trainer software system, which is at the center of the unauthorized access allegations. Our law firm knows much more than we can publicly report here about this company, which provided software to schools like the University of Michigan and contained medical and other personal information about athletes, students, and employees. The data security aspect of this system is highly suspect and, without question, should never have remained in place after the company went defunct. The University of Michigan has failed to explain why it would allow the use of software that no longer had the support of the development company because of that company's insolvency.
If the case is proven in court, student athlete victims will be entitled to significant compensation, including emotional distress, statutory damages under applicable privacy laws, and punitive damages if the current allegations are true. The fact that there has been a criminal indictment of Matt Weiss suggests there is substantial evidence beyond what our lawyers have already uncovered. Understanding your legal rights under Michigan and federal law requires expertise across several databases, security technologies, and unique legal theories. Traverse Legal, a law firm with nearly 30 years of experience specializing in technology, privacy, and data breach litigation, is committed to guiding victims through the legal process and maximizing their potential recovery.
The information provided in this post is derived from publicly available sources and involves allegations against the University of Michigan, Matt Weiss, and other associated parties. These allegations are currently unsubstantiated and unproven, and the criminal proceedings involving Matt Weiss are ongoing; his guilt or innocence has yet to be determined. Meanwhile, civil lawsuits, including class-action lawsuits, are being initiated to advocate for and protect the rights of potential victims.
Lawsuits are already being filed, and your rights need to be protected. Our data privacy and security attorneys are ready to answer your questions. Contact us for a free consultation. There is no fee if there is no recovery.
The Matt Weiss University of Michigan Hacking Scandal
In January 2023, Matt Weiss, a former football coach and co-offensive coordinator at the University of Michigan, was indicted on multiple federal charges from a prolonged hacking operation. Between 2015 and January 2023, Weiss allegedly gained unauthorized access to sensitive databases managed by Keffer Development Services, LLC (now an abandoned website), which stored personal and medical data for student athletes at over 100 universities nationwide. Exploiting weak encryption, overprivileged accounts, and inadequate security protocols, Weiss accessed the personally identifiable information (PII) and intimate digital content of more than 150,000 athletes, targeting over 3,300 individual accounts.
Using that information, prosecutors allege, Weiss began using open-source records to ascertain personal information of specific athletes such as "mother's maiden name, pets, places of birth and nicknames." That allowed Weiss "to obtain access to the social media, email, and/or cloud storage accounts of more than 2,000 targeted athletes by guessing or resetting their passwords," according to the indictment.
"Once he obtained access ... Weiss searched for and downloaded personal, intimate photographs that were not publicly shared," the indictment read.
Weiss is also charged with obtaining similar access, for similar purposes, of an additional 1,300 students and/or alumni from schools across the country.
Ex-Michigan football assistant pleads not guilty to cyber fraud – ESPN
Who else is involved? Keffer Development Services allegedly managed the hacked databases, but it dissolved in 2020. As technology lawyers, we understand better than anyone the tremendous risks that unsupported legacy systems, without updates and patches, present, let alone for systems storing students' sensitive and private information, including medical information. Despite known security risks alleged to have been flagged in internal audits, the University of Michigan continued using these unsupported database systems, potentially contributing to the extensive scope of the breach. The allegations are that the University of Michigan ignored what would have been obvious red flags and security risks for years.
What is Keffer Development Services, and How Are They Involved?
Keffer Development Services, LLC, was a Michigan-based IT and software development company specializing in database management and custom software solutions primarily for educational institutions. Michael Keffer founded the company in 2011 and it remained in operation until its dissolution in 2020. Among its clients was the University of Michigan Athletic Department, which developed and maintained "SpartanTrac," a specialized database used to manage sensitive student-athlete information, including academic records, medical clearances, and NCAA compliance data. Based on the criminal indictment, it is clear that many other schools used the Keffer development software. The fact that it's called 'SpartanTrak' may suggest that Michigan State University may have used the software at one point, although this has yet to be alleged.
Here are some screenshots from the Keffer website before the company filed for dissolution. We continue to research the software and database issues in these cases. Interestingly, the SpartanTrak software reported in this case does not appear anywhere on the website (as recorded at archive.org). However, since the beginning of Kefra development, it has marketed software identified as the Athletic Trainer System, a package still being used today. It is unclear whether the ATS system is involved in the U of M hacking incident. It is also unclear why Keffer Development's website doesn't appear to have marketed the SpartanTrack software, which is alleged to be an issue here.
Keffer Development Services' role in the Matt Weiss data breach is significant due to alleged critical security vulnerabilities in the SpartanTrac system. These vulnerabilities included weak encryption methods, overly permissive account privileges, and the absence of multi-factor authentication, allegedly allowing Weiss unauthorized and prolonged access to confidential athlete data.
Even after Keffer Development Services ceased operations in 2020, the University of Michigan continued using the outdated SpartanTrac system without proper security updates or vendor support. This oversight likely exacerbated the risk, enabling continued unauthorized access. Consequently, Keffer Development Services' security failures may contribute substantially to legal claims against the University of Michigan related to negligence and inadequate protection of student-athlete data.
What Are Your Legal Rights as a Data Breach Victim
Am I Eligible to Join a Lawsuit Against the University of Michigan?
You may be eligible to join a lawsuit against the University of Michigan if you are a student-athlete, alumnus, or an individual whose personal data was stored or accessed without authorization in the Matt Weiss data breach between 2015 and January 2023. This includes victims whose intimate digital content, medical records, personal communications, or other sensitive personal information were compromised.
"On Monday, Oct. 23, in compliance with our legal obligations, we began the process of notifying approximately 230,000 individuals whose sensitive personal data was involved in the incident through postal mail and through notice on our website," UM spokeswoman Kim Broekhuizen said in a Monday night statement. Hackers gained access to personal info on up to 230,000 individuals, UM says
Types of Damages That May Be Recoverable: The breach's victims could recover compensation. This includes, but is not limited to:
– Emotional distress resulting from the unauthorized
access and distribution of sensitive personal information.
– Sexual damages due to the invasion of intimate
privacy.
– Statutory damages provided under specific privacy laws are
designed to protect personal information.
– Punitive damages punish the responsible parties and deter
similar misconduct.
Understanding Privacy Laws & Protections:
Several privacy laws could apply in this data breach case, including:
– FERPA (Family Educational Rights and Privacy Act):
Protects student education records and personally identifiable
information from unauthorized disclosure.
– HIPAA (Health Insurance Portability and Accountability
Act): Safeguards medical records and personal health information,
requiring strict confidentiality measures.
– CFAA (Computer Fraud and Abuse Act): A federal statute
that criminalizes unauthorized access to computer systems,
databases, and private accounts.
– Michigan-specific privacy statutes: Additional state laws
may apply, further defining victims' rights and potential
recovery options in this data breach scenario.
Traverse Legal can help clarify how these laws apply to your situation and assist you in pursuing appropriate legal remedies.
What Should You Do To Protect Yourself and Your Data?
How to Protect Yourself After the UofM Data Breach:
You may not realize it, but a data breach can compromise your usernames and passwords across various platforms, including social media, email, cloud services, and other online accounts. Although the University of Michigan is legally required to notify affected individuals of a data breach under state law, many organizations fail to provide timely and detailed notice. Therefore, proactive measures are essential to protect your personal and financial security:
- Change Passwords Immediately
- Monitor Your Accounts Closely
- Alert Financial Institutions
- Place a Credit Freeze or Fraud Alert
- Keep Records of Any Issues
An immediate lawsuit to force the University of Michigan to disclose the circumstances and extent of the hack so that you can protect yourself is currently being prepared for our data breach clients. The goal is to understand the scope of the risk you may be facing. Without this information, it is very difficult to protect yourself and your private information.
Should I Join a Class Action Against UofM For Privacy Violations?
It is unclear whether or not a class action will be viable in this circumstance, although this is often one of the remedies available to victims. Irrespective of whether or not a class action is filed and you're a member of the class, it is always critical to obtain representation on an individual basis. Class action attorneys may not protect your interests. The class action type, structure, and settlement will require attorney approval. You want your attorneys sitting at that table. Traverse Legal can explain the benefits and implications of joining a class-action lawsuit explicitly tailored to the University of Michigan data breach circumstances.
Why You & Your Family Should Choose Traverse Legal for Your Representation
We have 30 Years Specializing in Technology and Data Breach Law
Traverse Legal has nearly three decades of dedicated experience representing clients in complex technology, privacy, and data breach cases. Our proven track record includes successful outcomes in high-profile litigation involving significant data breaches and technology disputes, positioning us uniquely to handle cases involving the University of Michigan data breach.
Our attorneys have been practicing technology law since the birth of the internet back in 1993. We understand technology and regularly advise business clients on data security and data breach notification issues. In other words, we not only know what we're doing, we've been doing it for a long time.
We have Established Relationships with Top Digital Forensic Experts.
It's going to take a large team of lawyers, paralegals, and experts to adequately represent you in the case against the University of Michigan and others. U-M has extremely deep pockets, aggressive attorney representation, and is expected to fight hard in order to protect itself. We know who to hire to do a forensic examination designed to protect your legal interests. And more importantly, we know how to work with these experts to protect our clients and their legal rights.
Personalized and Responsive Representation
At Traverse Legal, we put the client first. Our commitment to transparency provides full access to your file as well as our task management tool. That means you understand what's happening at all times in all matters affecting your case. We have handled the largest block of injury victims in a number of national and global events, far outpacing our competitors on client satisfaction and customer service.
Frequently Asked Questions
Will There Be A Class Action Filed Against the University of Michigan?
Due to the scale and seriousness of the Matt Weiss data breach, numerous class-action lawsuits will likely be filed against the University of Michigan and the involved individuals and entities. Affected individuals may have the option to participate in a collective legal action. It will take a long time to sort out which, if any, class actions will be viable and whether or not you are a member of any particular class. Therefore, it is essential to ensure you are represented as an individual signing a retainer agreement on a contingency fee basis with a competent law firm that can protect your rights no matter which way the case turns or twists.
Can International Students Join the UofM Data Breach Lawsuit?
Yes, International students affected by the data breach at the University of Michigan can typically join legal actions filed within the United States. Legal rights are not restricted by citizenship or residence status. Traverse Legal can help you understand how to protect your best rights.
What Type of Compensation Can Victims Expect?
Compensation for data breach victims may include:
– Emotional distress
– Damages related to invasion of privacy (including sexual
damages)
– Statutory damages under relevant privacy laws
– Punitive damages are intended to penalize responsible
parties and deter similar future conduct
– Reimbursement for identity protection services or other
out-of-pocket expenses incurred due to the breach
How Long Do Victims Have to File a Claim?
Victims must file their claims within statutory deadlines, known as statutes of limitations. These deadlines can vary depending on the jurisdiction and the specific type of claim. Prompt action is essential, and victims should contact Traverse Legal immediately to ensure their rights are fully protected.
What if I Attended a Different School Using the Same Compromised Software?
If you attended another institution using the same compromised software accessed by Matt Weiss, you may still have legal claims. A list of schools impacted by the breach will soon be made public. Suppose your data was compromised through Weiss's unauthorized access at any of these institutions. In that case, you may be eligible to pursue legal action against the University of Michigan, Matt Weiss, and potentially other responsible parties. Traverse Legal can help you determine your eligibility and guide you through your available legal options.
I Don't Know if I've Been Affected Yet. Should I still Contact an Attorney?
Absolutely. It will take a long time to determine who will receive compensation and how much they will receive. Your best move is to get representation early and protect your privacy rights if you have a claim. We are happy to work with you while we investigate whether or not you are a victim of this unfortunate data breach scandal.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
