Former UK athlete victim of data breach by ex-Michigan football coach Matt Weiss
At least one University of Kentucky male student-athlete is believed to be a victim of a data breach and cyber assault of Matt Weiss, a former assistant football coach at the University of Michigan and Baltimore Ravens, who was indicted last week.
Weiss was federally indicted in March on 24 counts of unauthorized access and aggravated identity theft of student-athlete information, according court documents.
Weiss allegedly hacked into 150,000 student-athletes’ accounts at colleges and universities nationwide, including UK. Up to 3,300 of those accounts involved intimate and private videos and photos, authorities say.
“Thousands of candid, intimate photographs and videos have been seized from the defendant’s electronic devices and from his cloud storage accounts,” according to an email from the Justice Department’s Mega Victim Case Assistance Program.
“Many show victims naked. Some show victims engaged in explicit sexual acts.”
A notice was sent to UK on April 8 where civil attorneys Megan Bonanni and Lisa Esser-Weidenfeller asked officials to preserve electronic evidence of student athletes from 2017 to 2020.
“Weiss hacked into the accounts of thousands of student-athlete accounts at colleges and universities around the country, including that of John Doe,” the notice reads.
Their client, listed as John Doe, attended UK from 2017 to 2020, documents show.
Bonanni and Esser-Weidenfeller represented victims in the Larry Nassar case, as well as the plaintiffs who filed sexual assault complaints against former UK swimming coach, Lars Jorgenson.
Nassar is a convicted serial child rapist and former family medicine physician. For 18 years, he was the team doctor of the US women’s national gymnastics team, where he used his position to exploit and sexually assault hundreds of young athletes.
He is jailed in a federal prison likely for the rest of his life.
More allegations are being revealed against Weiss daily, including how he accessed a massive amount of student data. According to lawsuits, Weiss is alleged have gained unauthorized access to databases maintained by a third-party vendor.
Weiss allegedly downloaded personal information and data of more than 150,000 athletes and, from there, was able to access the information of more than 2,000 athletes, including access to their social media, email and cloud storage.
University of Kentucky spokesperson Jay Blanton said the university “never received an evidence preservation notice.”
Attorneys: Check if you received a notice
Esser-Weidenfeller and Bonanni came into contact with the student at UK “organically” after an article was published about Weiss’s indictment and the former athlete realized he received a notice of a data breach and ignored it. Soon after, he tracked down the attorneys.
According to Esser-Weidenfeller, many students may have received a nondescript notice from the Department of Justice via email in 2024 — which was easy to disregard.
“Some (notices) would go into their junk folder, and it was a generic notice that your data may have been breached which included Matt Weiss’s name,” Esser-Weidenfeller told the Herald-Leader. “But there was no information about what was breached or that it could be tied to the their university.”
The notice included a link to click for more information, which people often believe could be a scam, Esser-Weidenfeller said.
“If you are receiving this notification, it means that information of yours was found in possession of the defendant,” the Department of Justice’s email read.
Esser-Weidenfeller and Bonanni discovered many universities have not sent out notices of potential data breaches to their current and former students or student athletes.
It is unclear if UK sent out notices about a potential data breach, or if they were aware they were involved prior to the attorneys’ contact.
“Any student-athlete from 2015 to 2023 at a university or college — you need to go back and look,” Bonanni said. “Even if they didn’t get a notice, that doesn’t mean they weren’t impacted.
“This spans from the East to West Coasts, involves men and women in every sport,” Bonanni said.
Federal investigation and lawsuits launched
Weiss was fired from his coaching position the University of Michigan in 2023 after the investigation began.
He has pleaded not guilty to all 24 charges.
As of April 10, at least 11 individuals — all listed as “Jane Does” — have opted to take part in a class-action lawsuit against Weiss. Some of the victims’ state of residence includes Illinois, Maryland, Louisiana and Missouri.
Some of the defendants listed in the lawsuits include Weiss and the University of Michigan Board of Regents. Keffer Development Services is also listed as a defendant, and is a software design company for athletic trainers.
According to their website, Keffer Development provides services to 600 clients across 48 states and internationally including high schools and college customers.
This story was originally published April 10, 2025 at 11:31 AM.
