Baseball Executive Found Guilty of “Performance Enhancing" Hack Attack

The “Moneyball” revolution in baseball has produced a dependence on analytics, both for measuring individual player performance and for overall team makeup. This shift has now presented at least one Major League Baseball franchise with major data security questions.

On January 9, 2016, the former scouting director of the St. Louis Cardinals pled guilty to five counts of unauthorized access to a private computer for utilizing a former employee’s credentials to hack into a rival team’s scouting database. His actions brought to light the threats of data security to all competitive sports franchises.

Christopher Correa, a longtime member of St. Louis’ front office, was charged with taking liberties with his former boss’s login credentials. The contemporary, listed in the indictment as “Victim A” (believed to be current Houston Astros General Manager Jeff Luhnow), apparently used the same login credentials as he did when he was a member of the Cardinals’ front office. Correa used this information to hack into Houston’s scouting database several times last June around the MLB First-Year Player Draft. The government has estimated the value of information Correa gained as a result of the hack at $1.7 million.

Correa had also accessed employee emails and 188 separate pages of confidential information by using “Victim A’s” credentials. Since “Victim A” had universal clearance within his organization’s databases, it gave Correa some useful information on whom St. Louis was scouting. Correa has subsequently admitted his crime and told the presiding judge, Lynn Hughes that it was a “stupid,” thing to do. Sentencing will begin on April 11, 2016.

Luhnow recognized the security problem and changed his credentials, which resulted in Correa hacking into the Astros’ email-server and getting the credentials of two more of the organization’s employees. When he accepted the GM job in Houston in 2011, Luhnow’s lack of password protection put his entire organization’s data infrastructure at risk. He made the following statement shortly after Correa’s plea:

I absolutely know about password hygiene and best practices. I’m certainly aware of how important passwords are, as well as the importance of keeping them updated. A lot of my job in baseball, as it was in high tech, is to make sure that intellectual property is protected. I take that seriously and hold myself and those who work for me to a very high standard.

Despite his comments, it took a rival hacking into his organization’s database for Luhnow to follow industry best practices and alter his login credentials. This situation presents a stark example of how network security is an end-to-end initiative. It’s just as important for people to follow best practices of password management as it is to have integrated intrusion security and access control solutions for your network.

You don’t get three strikes to secure your network against malicious entities that may want to get in. To get more information about the best practices for comprehensive network security, or to speak with our certified technicians about remote monitoring and management or other comprehensive network security solutions, call us today at (586) 258-0650 .