Former Michigan football coach Matthew Weiss is mounting a robust defense against aggravated identity theft charges stemming from allegations he hacked into over 3,000 student-athlete accounts to steal intimate photos and personal data. This legal fight not only determines Weiss’s fate but sets a critical precedent for how digital trespass is prosecuted, with significant implications for data security and institutional accountability in sports.
In a case that has sent shockwaves through the collegiate and professional sports communities, former University of Michigan and Baltimore Ravens assistant football coach Matthew Weiss is vehemently challenging federal prosecutors’ efforts to categorize his alleged computer hacking as aggravated identity theft. The 42-year-old coach, who pleaded not guilty in March 2025 to 24 charges, faces a potential nine decades in jail if convicted on all counts, including 14 counts of unauthorized computer access and 10 counts of aggravated identity theft.
The core of the current legal skirmish revolves around the defense’s argument that the government is attempting to “turbocharge punishments for routine laptop trespass” by applying aggravated identity theft statutes to what they describe as “digital trespassing.” This legal maneuvering has far-reaching implications, not just for Weiss, but for how cybercrime is prosecuted and the penalties associated with unauthorized digital access moving forward.
The Depth of the Allegations: A Sprawling Digital Invasion
Prosecutors accuse Weiss of a sophisticated and wide-ranging hacking scheme that spanned from 2015 to January 2023. This intricate operation allegedly involved gaining unauthorized access to student-athlete databases maintained by a third-party vendor, affecting over 100 colleges and universities. From these databases, he is said to have downloaded the personal and medical information of more than 150,000 athletes, creating a vast pool of data for his alleged subsequent actions.
Using this harvested information, Weiss then allegedly accessed the social media, email, and cloud storage accounts of more than 3,300 student-athletes and an additional 1,300 students or alumni from various schools across the U.S. The U.S. Justice Department’s Mega Victim Case Assistance Program disclosed that investigators seized “thousands of candid, intimate photographs and videos” from his devices and cloud accounts, with many showing victims naked or engaged in explicit sexual acts. This scale of invasion underscores a profound breach of privacy and trust, particularly among vulnerable student-athletes.
From the Sidelines to the Courtroom: Weiss’s Career Trajectory
Before these grave allegations surfaced, Matthew Weiss was a respected figure in football coaching circles. He spent over a decade with the NFL’s Baltimore Ravens, joining in 2009 as an assistant to head coach John Harbaugh. During his tenure, he contributed to a Super Bowl XLVII win and coached star players like Elvis Dumervil and C.J. Mosley to Pro Bowl selections, contributing to the Ravens breaking the NFL record for rushing yards in 2019.
In 2020, Weiss transitioned to college football, joining the University of Michigan as co-offensive coordinator under head coach Jim Harbaugh. He was part of the Wolverines’ successful 2022 season, where they finished 13-1 and made the College Football Playoff. However, his coaching career at Michigan came to an abrupt halt in January 2023 when he was fired during an investigation into his computer use. Both Jim and John Harbaugh expressed their shock at the allegations, with Jim Harbaugh stating he was “completely shocked” and did not learn of them until after Weiss’s final game in 2022, as reported by AP News.
The Legal Showdown: Hacking vs. Identity Theft
The crux of Weiss’s current defense lies in differentiating his alleged actions from the legal definition of aggravated identity theft. His attorney, David Benowitz, argues in a motion filed in U.S. District Court for the Eastern District of Michigan on October 14, 2025, that “hacking is hacking, not identity theft,” as reported by AOL. The defense contends that the Computer Fraud and Abuse Act (CFAA) provides a specific framework for computer hacking offenses, which typically carry lighter sentences, often probation, for “unauthorized digital access.”
However, aggravated identity theft mandates a two-year minimum sentence per count, to be served consecutively, transforming a “routine computer trespass” into a significantly harsher penalty. Benowitz illustrates this point by stating that merely “inserting the key and unlocking the door does not steal the homeowner’s identity,” implying that using login credentials to access an account, while unauthorized, isn’t necessarily identity theft under Congress’s original intent. This legal argument seeks to limit the scope of prosecution and, consequently, Weiss’s potential sentence.
Broader Implications for Data Security and Institutional Trust
Beyond Weiss’s immediate legal fate, this case raises profound questions about data security, privacy, and institutional responsibility. Civil lawsuits have been filed against Weiss, the University of Michigan, its regents, and Keffer Development Services—the third-party technology vendor allegedly maintaining the student-athlete databases. These lawsuits, brought by former athletes, claim the university failed to adequately supervise and monitor Weiss and neglected to review how private and personal information was stored and accessed.
For financial strategists and investors, the case highlights the growing legal and reputational risks associated with cybersecurity breaches, particularly when third-party vendors are involved. The potential for universities and other organizations to face significant liabilities due to inadequate oversight of sensitive personal data is a critical consideration. The ongoing legal debate about classifying cybercrimes will shape future corporate governance around data protection, making it a pivotal case for understanding evolving digital risks in institutional settings.
What Lies Ahead in the Legal Landscape
With the defense’s motion to dismiss the aggravated identity theft charges now filed, prosecutors have yet to officially respond. The outcome of this motion will heavily influence the trajectory of the case. If the motion is granted, it could significantly reduce the potential penalties Weiss faces, recalibrating the prosecution to focus solely on unauthorized computer access under the CFAA. Conversely, if denied, the government’s approach to “bootstrapping computer trespass into ‘aggravated identity theft'” could set a precedent for more severe punishments in future hacking cases.
This case serves as a crucial bellwether for the intersection of technology, law, and personal privacy in an increasingly digital world. The ultimate resolution will not only determine the consequences for Matthew Weiss but will also help define the boundaries of cybercrime and the responsibilities of institutions entrusted with vast amounts of personal data.
