‍How the U of M Data Breach Unfolded: A Timeline of Failure and Fallout

The University of Michigan has long been known for academic excellence and Big Ten glory. But behind the maize and blue pride, a digital scandal was quietly brewing—one that would expose the private data of thousands and shake public confidence in one of Michigan’s most powerful institutions.

Here’s how it all came apart.

January 2023: A Suspicious Digital Trail Emerges

The first signs of trouble appeared when U of M’s IT department detected suspicious activity on several university email accounts tied to the athletic department. What began as a minor security alert soon snowballed into a full-scale breach investigation.

Within days, access to multiple systems was suspended, and university officials confirmed they were probing “unauthorized access to university email accounts.” At the heart of that probe: Matt Weiss, the Wolverines’ co-offensive coordinator and a well-known figure in college football.

Weiss was later placed on leave—and then terminated—after reports surfaced that he had been linked to “unauthorized computer access” within university networks. Though criminal charges have yet to be filed, newly released FOIA documents indicate that investigators are still sorting through the digital evidence, including communications that could reveal whether this was an internal misuse of access or a targeted data breach.

The University’s Response: Too Little, Too Late?

Once the breach became public, U of M’s initial response was to limit internal access and conduct an “IT security review.” But weeks passed before affected individuals were notified, leaving thousands unaware that their personal data may have been compromised.

Emails to the U of M community cited “data security concerns,” but gave few specifics. For many, this lack of transparency only deepened frustration—and raised concerns about whether the university was more focused on damage control than disclosure.

Not U of M’s First Scandal

For those who follow U of M’s legal history, this isn’t the first time the university has faced scrutiny over how it handles private and sensitive information.

Just years earlier, the university agreed to a record-setting $490 million settlement with survivors of sexual abuse by Dr. Robert Anderson—a case in which Attorney Jon Marko of Marko Law served on the Plaintiffs’ Executive Committee, helping to secure justice for hundreds of victims who had been failed by institutional silence and cover-ups.

That history now casts a long shadow over the university’s credibility. When a trusted institution repeatedly mishandles sensitive data—whether it’s personal, medical, or digital—the pattern is impossible to ignore.

The Scope of the Breach: What Was Exposed

While U of M has not released a full list of compromised data, internal communications suggest that the breach may have involved access to:

• Names and contact information
• Student and employee ID numbers
• Email records and internal communications
• Social Security numbers and financial data
• Potentially health-related or scholarship information tied to athletic staff and students

For the victims—many of whom are student-athletes who already face public visibility—the risk isn’t just financial. It’s reputational, emotional, and deeply personal.

The Weiss Connection: What the New Documents Show

The newest filings don’t read like a routine IT mishap—they read like a playbook for digital exploitation. In March 2025, federal prosecutors unsealed a 24-count indictment charging former U-M co-offensive coordinator Matt Weiss with 14 counts of unauthorized computer access and 10 counts of aggravated identity theft. The government’s victim-notification page confirms the case and outlines the charges.

What the filings and investigative materials reveal

• A multi-year scheme targeting athletes’ accounts. DOJ summaries allege Weiss accessed personal email, social media, and cloud accounts of victims from 2015–2023, with investigators seizing thousands of intimate images and videos during searches.
• Scale that reaches far beyond Ann Arbor. National reporting tied to the indictment describes alleged access across dozens of schools and thousands of victims, while civil suits filed in Michigan court name the University of Michigan and outside vendors as additional defendants.
• U-M breach context. Separately, U-M publicly acknowledged a campus network infiltration in Aug. 2023 and, later, a Michigan Medicine email intrusion in May 2024—events that underscore systemic risk and raise questions about institutional safeguards during the Weiss investigation timeline.

Bottom line from the records: Prosecutors say Weiss wasn’t just “peeking” at work email—he’s accused of methodically compromising personal accounts to harvest private content at scale. He has pleaded not guilty.

Weiss’s Alleged Role in the Unauthorized Access

The indictment centers on unauthorized logins and identity-theft conduct—the government says Weiss used other people’s credentials to enter restricted, personal accounts and then stored the material he obtained. While the charging documents do not resolve every factual dispute, they position Weiss as the principal actor behind the access.

Internal Misuse—or an Outside Hack?

From what’s public today, the criminal case frames the conduct as credential-based intrusions—human-driven, targeted access—not a single external malware event. That aligns with U-M’s separate disclosures: one incident involved network infiltration (Aug. 2023), and another involved compromised employee email accounts (May 2024). Neither disclosure, on its face, contradicts the government’s portrayal of account-level abuse in the Weiss matter.

What about communications with U-M IT and administrators?

Civil filings and news coverage indicate Weiss was placed on leave and later terminated during a U-M police inquiry into “computer access” in the football facility, and that he did not cooperate—facts now echoed in national reporting tied to the federal case. The detailed content of any internal emails or meeting notes has not been comprehensively released to the public; expect those to emerge through discovery and FOIA fights as the civil suits advance. (New York Post)

Key Unanswered Questions

• Negligence or intentional misconduct—or both?
  The indictment alleges intentional unauthorized access and identity theft. The civil side will test whether institutional negligence (e.g., weak access controls, poor monitoring, delayed containment) enabled that misconduct. (Department of Justice)
• Did U-M properly protect sensitive student-athlete data?
  U-M acknowledges separate security incidents (2023 network infiltration; 2024 Michigan Medicine email compromise) that affected tens of thousands, highlighting broader security debt. Plaintiffs will likely argue the university failed reasonable safeguards and moved too slowly once red flags appeared. (twingate.com)
• How many were truly impacted—and how?
  Press accounts tied to the indictment reference thousands of athlete victims and mass seizures of intimate content. Precise victim counts, the nature of data (IDs, emails, medical/athletic records), and the pathways used will be clarified through discovery and future filings. (AP News)

Your Privacy Deserves Protection

The evidence is becoming impossible to ignore. The Matt Weiss U of M data breach wasn’t a fluke—it was preventable. The latest documents reveal that critical warning signs were missed, security protocols were insufficient, and internal oversight failed when it mattered most. For thousands of students, athletes, staff, and alumni, that negligence translated into exposed data, stolen privacy, and shattered trust.

This wasn’t just about technology—it was about accountability. When institutions like the University of Michigan allow private information to fall into the wrong hands, they betray the very people who built their legacy.

At Marko Law, we believe avoidable harm deserves justice. That means holding powerful institutions accountable, demanding transparency, and fighting relentlessly for every individual whose data was compromised. We’ve taken on some of Michigan’s largest entities—and won—because protecting the public isn’t just our profession, it’s our purpose.

If you’re one of the many affected by the U of M breach, now is the time to take action. Don’t wait for the university to control the narrative or minimize the damage. You have rights. You have power. And you deserve answers.

Marko Law stands with you. Our attorneys are continuing to investigate the full extent of U of M’s failures, reviewing every new filing, FOIA release, and institutional response to ensure no detail is buried and no victim is forgotten.

Contact Marko Law for a Free Case Evaluation

📞 Phone: +1-313-777-7777
📍 Office: 220 W. Congress, 4th Floor, Detroit, MI 48226
🌐 Website: www.markolaw.com‍

‍