These former college athletes were told a coach may have hacked into their private photos
Volleyball has been a source of joy for Aly Torline, shaping her from a kid in club leagues to collegiate athlete.
The 30-year-old “can’t say enough good things” about her experience at the California State University in San Bernardino. She was recognized as an all-American by a national coaching organization and said the relationships with her teammates and coaches helped shape her into the woman she is today.
For more on this story, watch “NBC Nightly News with Tom Llamas” tonight at 6:30 p.m. ET/5:30 p.m. CT.
But nearly 10 years after graduation, Torline received a notice from federal authorities. The news it delivered, she said, was “brutal.”
The Justice Department informed her that her time on the team exposed her to a data breach: A football coach from across the country whom she had never met is alleged to have used student-athletes’ personal information to access their email, cloud storage and social media accounts and download their private, intimate photos or videos.
“Thinking about what he might have or does have, and not exactly knowing, it just, it makes me feel really vulnerable,” Torline said in an interview. “I felt like a lot of what I thought was private or protected wasn’t, and maybe some of that was just, like, an illusion.”
A federal indictment in March charged former NFL and University of Michigan assistant football coach Matt Weiss with 14 counts of unauthorized access to computers and 10 counts of aggravated identity theft. According to the indictment, Weiss obtained unauthorized access to a platform with personal identifying information about student-athletes from more than 100 colleges and universities across the country.
Weiss is accused of using the information, and additional internet research, to hack into the personal accounts of 3,300 students and alumni, mostly targeting female students, according to prosecutors. He kept notes on whose photos and videos he viewed, “including notes commenting on their bodies and their sexual preferences,” the indictment said.
Weiss pleaded not guilty to all charges in March. His attorney didn’t respond to multiple requests for an interview and comment.
Like Torline, many of the student-athletes who got the same notice don’t know Weiss and have no idea what he might have taken. They said they aren’t even sure which accounts might have been accessed or whether they’re university accounts. Former student-athletes who got notices from the Justice Department that they may have been hacked, four of whom are coming forward publicly for the first time, detailed to NBC News the fear and uneasiness they say they’ve felt since they were identified as potential victims. They’re calling for accountability — and answers.
‘Cyber sexual assault’
Torline is one of dozens of Weiss’ alleged victims being represented by attorneys Megan Bonanni and Lisa Esser in a civil class action lawsuit. The complaint describes the allegations against Weiss as potentially “the largest cyber sexual assault against student-athletes in U.S. history.”
Bonanni and Esser have represented dozens of sexual abuse victims, including victims of Larry Nassar, a sports doctor at Michigan State University who was convicted of sexually abusing hundreds of young athletes, including members of the U.S. women’s gymnastics national team. Bonanni and Esser say there has been an emotional impact on many of the 81 people they’ve spoken to in the Weiss case.
“It really is someone who took — without permission — very intimate, private images that are sexual in nature,” Bonanni said. “And so, when that kind of betrayal, when that kind of assault, happens, it is a sexual assault.”
Of the dozens of people Bonanni and Esser are working with, all five who spoke to NBC News said they haven’t received any more details from federal authorities or their alma maters. A spokeswoman for the U.S. Attorney’s Office for the Eastern District of Michigan declined an interview request from NBC News, citing the pending criminal case against Weiss.
All five student-athletes expressed deep anxiety over being left in the dark about what may have happened.
A 30-year-old woman, whom NBC News agreed to keep anonymous given the sensitive nature of the case, said she started college when she was 17 and can’t help but wonder how far back Weiss could have accessed her photos. She says she’s constantly digging in her mind to figure out what might have been taken from her and how young she may have been in the images.
“I still, like, wake up some days and I’m just like who, what, where, when, why and how?” she said. “And I don’t know if I’ll ever get answers to that.”
Towson University in Maryland, which the woman attended, told NBC News it sent notices to “potentially effected athletes of the breach” in early June.
How was the information accessed?
There’s still little clarity about how Weiss is alleged to have accessed the private information and how he may have been able to hack into so many accounts.
Torline’s lawsuit, filed in U.S. District Court for Central California in April as a Jane Doe, names Weiss, CSU-San Bernardino and a third-party company that owns database software that prosecutors say in the indictment Weiss used, Keffer Development Services.
A search for Keffer Development Services leads to a website for The Athletic Trainer System, which says it was founded in 1994 and appears to also use the name Keffer Development Services.
Its website says its electronic health records system is used by more than 6,500 organizations, including schools, and serves 2 million athletes. It also says it is HIPAA-compliant, referring to the federal law meant to protect medical records and other personal health information.
According to the indictment, Weiss was able to gain access to Keffer databases by compromising accounts with elevated access, like those of athletic trainers. From there, the indictment says, he downloaded the passwords and personal information of student athletes. According to federal prosecutors, Weiss was able to access the personal identifying information for more than 150,000 athletes. This information included some encrypted files containing passwords he was allegedly able to decrypt.
Weiss then, the indictment says, conducted additional internet research to learn athletes’ “mothers’ maiden names, pets, places of birth, and nicknames.” From there, he was able to access student athletes’ mail, cloud storage or social media accounts and download personal and intimate photos and videos, according to the indictment. In several instances, Weiss was able to exploit “vulnerabilities in universities’ account authentication processes” to access student and alumni accounts, the indictment said.
There are also several unnamed “technology providers” from which prosecutors said Weiss accessed students’ photos, videos and private information.
Attorneys for Keffer Development Services declined to comment.
A spokesperson for CSU-San Bernardino said in a statement that it has no record of any contracts or payments to either Keffer Development Services or The Athletic Training System. NBC News wasn’t able to find a publicly available list of the company’s clients. CSU-San Bernardino didn’t comment on whether it had taken action to inform students who might have been affected.
Bonanni doesn’t believe there is “one uniform answer” to the question of how Weiss was able to access individual data, as authorities allege.
“From our understanding, there were multiple failures,” Bonanni said. “There were vulnerabilities in college and universities’ account authentication processes, as well as vulnerabilities from a third-party vendor, Keffer, and also unnamed technology providers.”
The only connection to the case that the potential victims who spoke to NBC News can identify between themselves and Weiss is that they were college athletes.
Feeling betrayed
Clayton Wirth, 27, enjoyed playing soccer at the University of Kentucky. His time in school may have been “intense” thanks to early morning training and hard-fought games in addition to his studies, but he loved it.
Now, he questions whether he put collegiate athletics on a pedestal.
Wirth said that though he has gotten general alumni mail from his alma mater, no one from the University of Kentucky has reached out to him to alert him about the breach. He feels betrayed by the school he trusted and dreamed of playing for as a kid, he said.
The university failed to protect people who “they essentially promised the world to,” Wirth said. “It’s like, hey, we looked up our entire lives to you, and then we gave you the keys, and you basically said, ‘Well, we don’t care about you at all.’”
A spokesperson for the University of Kentucky told NBC News it hasn’t received any notice from the Justice Department, including information about any other details about potential impacts on its students or alumni. It also said it doesn’t use Keffer Development Services.
“We are committed to the safety and well-being of our student athletes and would promptly notify individuals if we were notified of a breach involving our systems,” the spokesperson said.
The U.S. Attorney’s Office for the Eastern District of Michigan did not respond to a request for comment about whether they contacted all schools with students or alumni affected by the breach.
Bonanni and Esser, the attorneys, noted that the Federal Trade Commission recommends a number of safeguards to protect private information, including multi-factor authentication. Multi-factor authentication, which the FTC recommended as early as 2016, requires more than just a password to log in, and it apparently wasn’t enabled on many of the student email accounts, Esser said. (Other accounts, like social media, were also breached in the hack, according to the indictment).
“The sheer size and scope of this hacking and that occurred, I think, informs us that there clearly are protocols and safety measures that aren’t and weren’t in place,” she said.
Torline and another woman, a former swimmer who has also filed a lawsuit in the data breach, allege in their suits that neither their colleges — CSU-San Bernardino and Malone University — nor Keffer Development Services required multi-factor authorization. Both former student-athletes told NBC News that they couldn’t recall their universities’ ever issuing guidance or information about how to secure their personal data.
The former swimmer, Stephanie Sprague, 26, said she couldn’t have imagined that a single year of swimming at Malone University, a private university in Canton, Ohio, could have left her so exposed.
“When it really hit me that this was happening, I was kind of, like, embarrassed, and I felt shame, like upon myself, when I know it’s not my fault and I’m not the person who should be feeling this way,” said Sprague, who fears what consequences the episode could have on her nursing career.
She sued Malone, Keffer Development Services and Weiss in April as a Jane Doe, accusing the university of failing to safeguard students’ private information. No one from Malone University reached out to Sprague to discuss the breach before she spoke to NBC News, she said.
Malone University didn’t respond to a request for comment.
What she wants now is accountability and assurance that changes will be made to prevent such a breach from happening to other students.
“They’re not admitting that this happened,” Sprague said. “They’re not putting any comfort or ease into our minds. They’re just brushing it off.”
Like Sprague, Maddie Maleung, 28, feels her time playing soccer in college left her vulnerable.
Student-athletes spend so much time focused on their educations and sports with the “assumption that the information that was provided to our universities would be protected,” said Maleung, a former goalkeeper for Radford University in Virginia.
A spokesperson for Radford said that the university has had no communication from authorities in relation to the breach and that it hasn’t contracted services from Keffer Development Services. The school added that it takes data privacy very seriously and “will continue to monitor the national situation closely.”
Maleung, who is in a dental residency at Ohio State University, said, “They let us down, and that information actually wasn’t protected securely.”
She, too, wants accountability. All of the parties involved need to look at how to make sure it doesn’t happen again, Maleung said.
“There’s really not an excuse anymore,” she said. “If you collect the data, you need to protect it.”