3 former NC athletes among victims in ex-Michigan coach Matt Weiss hacking case
Three former college athletes from North Carolina are among the alleged victims in a federal investigation accusing former Michigan assistant football coach Matthew Weiss of illegally obtaining intimate photos and videos in a yearslong, multifaceted hacking scheme.
The women were enrolled at Wake Tech Community College and Shaw University, both based in Raleigh, and High Point University in High Point, North Carolina, according to requests for evidence preservation sent to the schools by the law firm representing the victims.
Megan Bonanni and Lisa Esser-Weidenfeller represent multiple unnamed individuals from across the country in an upcoming civil lawsuit. The United States Department of Justice is handling criminal charges.
Weiss was indicted by a federal grand jury in March on 14 counts of unauthorized access and 10 counts of aggravated identity theft after investigators seized thousands of photos and videos, often with the subjects nude or engaging in sexually explicit acts. He pleaded not guilty.
Tuesday, Bonanni and Esser-Weidenfeller requested the schools save electronically stored information from 2014 through 2024. These records include but are not limited to emails, text messages, video footage, student records, investigative reports, notes, communication between the schools and the University of Michigan, and any other formal or informal communication regarding the allegations levied against Weiss.
Preservation includes protecting the records from routine data deletion. Requests to preserve records are fairly common in civil lawsuits. Similar notices were sent to other universities, including Kentucky, Radford, Simmons and Loyola Chicago.
“What we’re simply asking is that relevant information be maintained,” Bonanni said Friday. “Sometimes with emails and whatnot, there might be a policy to destroy emails after a certain period of time, or to clean video tape. That happens all the time. In other cases, they just destroy things because it’s just a part of their business. This letter is basically saying, ‘Hey, we are here, and we want you to maintain all of this information.’”
Bonanni, based in Michigan, has represented survivors of sexual violence, of which she says this is a case, and athletes. She represented survivors of former gymnastics team doctor Larry Nassar and Dr. Robert Anderson, the late physician who allegedly sexually abused more than 1,000 people in his nearly 40 years working at the University of Michigan, in civil lawsuits.
The legal team has not received a response from any of the schools. The News & Observer contacted all three institutions but none responded to its request for comment, as of 5 p.m. Friday.
“This is not just a data breach, and I think a distinction needs to be made, because this amounts to a digital invasion of the most private aspects of a person’s life: their photos, their videos, their intimate records,” Bonanni said. “These were all obtained without their consent. This is a violation of your privacy.”
What to know about the Weiss investigation
Weiss is a former Michigan Wolverines and Baltimore Ravens assistant. Weiss served as the Wolverines’ co-offensive coordinator in 2022, when the team finished 13-1 and appeared in the College Football Playoff. He was fired from Michigan in 2023 after failing to comply with an investigation into his computer use. Prior to his stint in Ann Arbor, he spent more than 10 years with the Ravens of the National Football League.
The indictment, published by the U.S. Department of Justice, alleges that Weiss — from 2016 to 2024 — made a concerted effort to search for and download the content. The exact number hacking instances isn’t known, Bonanni said, but at least 1,500 hacks included private photos and videos.
“Weiss primarily targeted female college athletes,” the indictment states. “He researched and targeted women based on their school affiliation, athletic history and physical characteristics. His goal was to obtain private photographs and videos never intended to be shared beyond intimate partners.”
Though many victims are current or former female student-athletes, Bonanni said males and non-athletes were also included in the findings.
The indictment says Weiss hacked into more than 100 databases, maintained by third-party vendor Keffer Development Services, that stored student-athlete information. The databases included personally identifiable information and medical data. Weiss downloaded this information and passwords student-athletes used to access the databases, the DOJ claims. This impacted more than 150,000 current and former student-athletes.
Then, the DOJ says, Weiss targeted more than 2,000 people. Through additional research and information found through the hacks, he allegedly discovered information — pets, places of birth, nicknames — that allowed him to hack into personal social media, cloud storage and email accounts by guessing or resetting their passwords.
The DOJ says Weiss also hacked into the systems of higher education institutions across the country, including the University of Michigan and Westmont College, revealing vulnerabilities in their cybersecurity. He retrieved information about students and alumni that he used to gain unauthorized access to their personal accounts. This impacted another 1,300 individuals.
According to the indictment, Weiss reportedly took notes about the photos and videos he viewed. These notes included comments about the subjects’ bodies and sexual preferences. It claims Weiss would return to some accounts, months or years after first hacking into them, to try to find more files.
Former Michigan head coach Jim Harbaugh and Ravens head coach John Harbaugh both told the AP the allegations were “shocking.”
‘A wake-up call’
Bonanni said several clients became aware of the situation when they received an email from the DOJ roughly 18 months ago, alerting them of the hacks. Many potential victims, however, do not know they were affected. The notification email, which was provided to The News & Observer, didn’t look official, Bonanni said.
“It looked like one of those emails you shouldn’t open the links to,” Bonanni said.
Many clients realized they may have been hacked after the indictment was released. Bonanni said the DOJ began notifying people more than a year ago, but she has not heard of schools telling their students, whether by email or letter, they could have been victims of the hacks. She suspects there are more victims from North Carolina colleges and universities who don’t know they were impacted.
“They trust this school to take care of them on the field and off the field.… There’s this bond, and they work so hard in their chosen sport, which of course, uplifts the profile of the school,” Bonanni said. “To have your personal information hacked and not be informed, or potentially hacked and not be informed, is deeply troubling.”
A civil case was filed in Michigan earlier this month against the University of Michigan, Keffer Development and Weiss. The case cites the university and company’s duties to protect private data and called mitigation efforts to prevent security breaches “substandard.” Additionally, the lawsuit states the university did not properly supervise Weiss.
“This demonstrates that the systems and processes that these colleges and universities put in place to protect the private information of students was just egregiously breached and wholly inadequate,” Bonanni said. “That is truly our target in terms of institutional change and accountability.”
Plaintiffs listed in the initial lawsuit were former Michigan women’s soccer players, gymnasts and a Loyola Chicago volleyball player.
It is unclear whether a civil case could be filed in North Carolina, or which parties may be named defendants. Bonanni said litigation could span multiple years.
Similar to Bonanni’s work in the lawsuit against USA Gymnastics involving Nassar, the goal with any civil lawsuit is to prevent abuse of this scale from happening again.
“What makes this case especially disturbing is the level of planning and persistence involved. This wasn’t an impulsive act,” Bonanni said. “The person who did this took intentional, calculated steps to gain unauthorized access to private accounts — often belonging to student-athletes they had no personal relationship with. That kind of behavior is not only criminal — it reveals a deeply predatory mindset.
“That’s why we’re calling it what it is: cyber sexual assault. It may not involve physical contact, but the emotional and psychological impact is devastating. The harm comes from the same place: a desire to exert power by violating another person’s dignity and autonomy. This case is a wake-up call for universities across the country. It shows how digital tools can be weaponized, especially against young people, and how important it is that institutions take proactive steps to prevent this kind of abuse and hold those responsible fully accountable.”
