Back in mid-June it was reported the St. Louis Cardinals were being investigated for hacking into the Houston Astros' computer database and accessing sensitive information. While the FBI and Justice Department prosecutors conducted their probe, HNGN spoke with Jason Eaddy, a digital forensics expert at Stroz Friedberg, to pinpoint the specifics and provide a more transparent understanding in order to help us avoid sifting through the legalese and technological parlance.
Last year federal investigators uncovered evidence suggesting employees of the Cardinals' organization breached Houston's "Ground Control" computer database in 2013 and 2014 and gained access to internal discussions about trades, proprietary statistics and scouting reports, according to The New York Times.
Cardinals ex-scouting director Chris Correa pleaded guilty to five counts of unauthorized access into the Astros' computer system in federal court on Friday. He was fired in July during a self-imposed leave of absence in the midst the federal investigation, which happened to be the first case of corporate espionage in the world of sports.
When a cyber incident of this nature occurs in any realm, that's where Eaddy comes in.
Stroz Friedberg is a "global leader in investigations, intelligence and risk management." The company's experts specialize in the fields of digital forensics, investigations, forensic accounting, incident response, security, compliance, data discovery, intelligence and due diligence. Before Stroz Friedberg acquired Elysium Digital, Eaddy oversaw Elysium's forensics and discovery division, which handled all projects that are based in computer forensics, intellectual property or electronic discovery.
"On the forensics and incident response side we will go in and conduct an investigation. Along these lines, we look at hacking incidents to figure out what actually occurred, who was involved, when the hack occured, what access did they have to the data that was breached, and what happened to the data after the breach," Eaddy told HNGN in an exclusive interview.
"The Astros, for instance, would hire a company like ours to perform an investigation based upon signs a breach occured. The investigation often results reaching out to the FBI or the filing of litigation in incidents of corporate espionage."
(Note: Eaddy and Stroz Friedberg/Elysium Digital were not involved in this case.)
The last update regarding the Cardinals/Astros case - before Correa pleaded guilty to charges on Friday - came in early July when CNN reported federal investigators have "recommended charges be brought against at least one St. Louis Cardinals employee implicated in the probe of an alleged computer intrusion of databases belonging to the Houston Astros."
At the time, the FBI reportedly had four to five people of interest in the case. However, at this point, Correa was the only one charged. His sentencing hearing is scheduled for April 11, so we'll again be waiting on the official outcome of the case.
"Each conviction of unauthorized access of a protected computer carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine. Correa will pay $275,000 in restitution as well," Reid Laymance of the Houston Chronicle reported on Friday. (Click that link to check out the court documents as well.)
Perhaps the average reader saw a headline about the hacking scandal back in June and didn't think much of it. "Oh, it's just baseball. No big deal." Or maybe others thought it was a bunch of analytics nerds battling for supremacy in front offices across MLB.
But it is a big deal. Stealing intellectual property is a crime. As you can see, when such sensitive and expensive information is compromised - regardless of domain or field - there's a hefty price to pay.
As we approach the conclusion of the Cardinals/Astros case, there are a number of questions to consider:
• How was Correa tracked down?
• Exactly how did he hack the Astros' computer database?
• What laws protect the Astros in this case?
• What are the consequences of such criminal digital activity?
• Is this any different from a similar case involving two entities outside of sports?
• Will the sports world witness an increase in such hacks given the fact almost all pertinent scouting/statistical information has gone digital in recent years?
Thanks to Eaddy, we were able to answer all of those questions thoroughly.
So how did the Cardinals gain access to the Ground Control database? The initial report of the incident noted Astros' current general manager - and former Cardinals' executive - Jeff Luhnow left behind a list of passwords he used while working for St. Louis. Luhnow also established the Cardinals' computer database "Redbird," which is the same type of system he now uses in Houston.
However, in an interview with Sports Illustrated, Luhnow acknowledged that the list of passwords - even if it was in possession of the accused Cardinals' officials - likely had no effect on the alleged breach because he knows about "password hygiene and best practices" considering he was a technology executive before transitioning to a career in baseball.
"I'm certainly aware of how important passwords are, as well as of the importance of keeping them updated," Luhnow said in the interview. "A lot of my job in baseball, as it was in high tech, is to make sure that intellectual property is protected. I take that seriously and hold myself and those who work for me to a very high standard."
But is there still a possibility his password practices weren't astute enough to deter hackers?
"You can have a good password practice or a long complex password, but if it's based upon something that is knowable about you - and obviously the Cardinals' organization is going to know a lot about [Luhnow], especially with this said list of passwords - they're going to have a good idea as to the types of information he would use in creating a password," Eaddy explained. "Just because he changed his password doesn't mean it was something somebody couldn't guess ... In this case, the general manager is a public figure, so you have information about him and you can make some reasonable guesses as to what types of passwords would be used and what personal information might go in there."
Despite Luhnow's comments, it seems as if the Astros weren't implementing the safest measures in terms of password protection. After all, the system was breached on multiple occasions.
"From a best practices standpoint, what you really want is a set of randomized characters and letters and punctuation, but the problem there is that you can't remember that," Eaddy continued. "So there are various tools designed to hold these complex passwords. This software exists for mobile devices and computers and will securely store passwords and generate complex passwords."
According to the court documents, Luhnow changed his password, but it wasn't complex enough.
"Correa illegally accessed the Astros' computers in the following way: In December 2011, as Victim A [Luhnow] prepared to leave the St. Louis Cardinals and join the Houston Astros, he was directed to turn over his Cardinals-owned laptop to Correa - along with the laptop's password. When Victim A joined the Astros, he re-used a similar (albeit obscure) password for his Astros' email and Ground Control accounts. No later than March 2013, Correa began accessing Victim A's Ground Control and Astros' email accounts using this variation of the password to Victim A's Cardinals laptop."
Now that we're on the subject, that's not the only way computing hackings can occur. The following factors Eaddy elaborated upon could have also potentially played a role in the Cardinals/Astros case.
So let's say there wasn't a password list left behind, Luhnow didn't turn over his laptop to Correa, and the Cardinals' front office was comprised of executives who had no prior relationship with Luhnow. Eaddy said a "phishing attack" is another way Correa could have hypothetically gained access to the Ground Control database.
Phishing is "the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft," according to Webopedia.
"Phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organization already has. The website, however, is bogus and the attackers will capture and steal any information the user enters on the page."
Here's another way Eaddy said Correa may have breached Ground Control:
"If you're talking about generally accessing the system, it comes down to how secure the system is. In this case it's a web-based program, so you can access it from your smartphone, laptop, etc. Just going to that page, a hacker would be able to learn information about the website, about what the thing is running on, about what the system is underneath it."
Correa's hacks, according to the court documents, spanned from March 2013 until the end of June 2014. He accessed the Astros' database multiple times before the Houston Chronicle published an in-depth article about Ground Control, which prompted team officials to change Ground Control's URL as well as the passwords for every user of the system.
But they apparently forgot the email passwords.
The court documents said Correa again accessed Luhnow's Astros e-mail account and discovered the e-mails that disclosed Ground Control's new URL and Luhnow's new password to access the system.
So exactly what information was Correa uncovering during his series of breaches?
Scouting lists/reports for every player in that year's draft (the court documents elaborate more on that); pre-draft and post-draft notes; trade discussions/notes with other MLB clubs; notes from Astros scouts regarding international players; advanced analytic information on players Houston was considering signing or drafting; and other confidential info.
But let's backtrack a little bit.
How in the world did the FBI and Justice Department originally track down the suspects?
The hack was traced back to a computer in a house near the Cardinals' spring training complex in Jupiter, Fla., prior to the 2014 season. The investigators found the IP address that belonged to the residence, which led them to the suspects at the time.
"What they're going to be able to do is see if there was an access at a certain point in time and the computer [Ground Control] is going to log that access. Part of that log is going to contain the IP address," Eaddy continued. "From there you're able to work out what Internet Service Provider (ISP) owns that IP address - in all likelihood it's going to be a cable company if it is at a home - and you can then go to that company and ask them where that IP address was located in that point in time. Then the company can tell you the address was assigned to a specific house at that point."
The intruder(s) attempted to cover his/her/their tracks to disguise their location, but that obviously failed. At least four Cardinals' employees hired criminal defense lawyers at the time, people briefed on the investigation told The New York Times. Early on the in the probe it was noted high-ranking Cardinals' officials were in the clear, meaning the alleged hackers were believed to be lower- to mid-level individuals among the team's baseball operations staff.
How come these "high-ranking officials" were exonerated so quickly?
"Most people are going to understand the computer logging activities and from a high-ranking official perspective. The chances of getting caught have to be balanced against the penalties that would be incurred if you are," Eaddy said. "When you think about it, the chances of a lower-ranking employee committing such an act certainly seem higher than it being a widespread corporate espionage event simply because of the liability that would be incurred if they were caught."
Well, Correa was in a higher-ranking position, considering scouting director is fifth-removed from the senior vice president and general manager position, according to the Cardinals' website. Scouting directors typically aren't in the spotlight, but they're certainly not low-ranking employees, as their responsibilities are integral to the team's success.
"Typical duties of a Scouting Director includes coordinating all scouting for the First Year Player Draft every June, international scouting and MLB advanced scouting for the major league club," according to Baseball-Reference.com. "In many cases, the team scouting director is the sole decision maker over the team's first several draft picks on draft day."
It's also important to take note of the federal laws protect the Astros in this specific case. Early on when the investigation was made public, one lawyer mentioned the Computer Fraud and Abuse Act (CFAA) - which was enacted by Congress in 1986 - is directly applicable to this incident.
The federal statute was passed as a result of the dawn of the computer age in the 1980s and was originally enforced to protect government computers from hackers committing acts of espionage. However, now that computers and various other forms of technology are omnipresent in today's society, the law extends beyond government equipment and aims to safeguard anyone who has private information stored on a technological device.
"This act pretty much comes up in any hacking case because what someone is doing is downloading software to access a system and causing harm to the system," Eaddy said.
So what harm was done to the Astros in this case if the Cardinals merely accessed their database?
"The 'causing harm' is debatable in this scenario," Eaddy added. "The 'loss' of information by the Astros and the costs incurred in the investigation would often be cited to as the harm that results from the unauthorized access to the computer system. This is what lawyers look for because however much that breach cost their client is going to be directly applicable to the CFAA."
Here's the breakdown of what offenses fall under the law and the sentences that come with it if a party is convicted:
|
Offense |
Sentence (Maximum penalty in parentheses) |
|
Obtaining National Security Information |
10 (20) years |
|
Accessing a Computer & Obtaining Information |
1 or 5 (10) years |
|
Trespassing in a Government Computer |
1 (10) years |
|
Accessing a Computer to Defraud & Obtain Value |
1 (10) years |
|
Intentionally Damaging by Knowing Transmission |
1 or 10 (20) years |
|
Recklessly Damaging by Intentional Access |
1 or 5 (20) years |
|
Negligently Causing Damage & Loss by Intentional Access |
1 (10) years |
|
Trafficking in Passwords |
1 (10) years |
|
Extortion Involving Computers |
5 (10) years |
Correa committed a few of those offenses based on the court documents. He was ultimately charged with Unauthorized Access of a Protected Computer, which violates Title 18, United States Code, Sections 1030(a)(2)(C) & (c)(2)(B)(iii).
And don't forget: just because we're dealing with the realm of sports doesn't mean the offense is any less significant. It's the same as any other case of corporate espionage. A price tag can be put on almost anything nowadays, and in the advanced scouting world of baseball, which has witnessed an unprecedented statistical breakthrough over the past 20-plus years, you can bet any piece of scouting information from any level of baseball has some sort of value.
"It's intellectual property," Eaddy pointed out. "This is no different than it occurring at any other corporation. You look at the Astros' success over the last four years and the changes that they've made, you can imagine someone wants to have information as to why they're doing what they're doing with their personnel ... There's a pitcher from the Rockies they picked up a couple years back who was struggling early on in his career, but he's now a contributing member of their starting rotation. I forgot his name, but that's a great example of how useful information came out of this. The location of one's pitches, how much rotation a curveball has, etc. Others don't even need to know the exact data being collected, they just need to know what type of data is being collected to gain use of the information."
Collin McHugh was that pitcher the Astros picked up from Colorado. Prior to arriving in Houston after the 2013 season, McHugh had never pitched in more than eight games in each of his two previous seasons. From 2012-2013 with the Rockies and New York Mets, the right-hander was 0-8 with an 8.94 ERA and 1.80 WHIP over 15 games (nine starts), totaling 47-1/3 innings.
Then he joined the Astros.
He was converted to a full-time starter in 2014 and currently owns a 30-16 record with a 3.39 ERA, 1.17 WHIP and 328 strikeouts in 57 starts (358-1/3 innings) with Houston. That type of scouting/front office personnel decision can save a franchise millions of dollars.
Correa could have easily spotted such information in Ground Control to gain a competitive edge.
So what does this mean for the future security of sensitive information among MLB teams now that scouting has gone digital and analytics play an overwhelming role in today's game due to the battle between small market teams and big market teams?
"I think that just as systems are used more and more and teams become more reliant on these analytical databases, there will be an increase," Eaddy mentioned. "I don't think it's going to be some sort of marked increase simply because the chances of getting caught are so high. At some point, this whole thing steps outside of the sports world and brings in the real world reality of jail time, which is going to wind up being a major deterrent, even to someone looking to gain a competitive advantage."
Commissioner Rob Manfred has already been tasked with countless pressing issues in his first year in charge of MLB. Cyber security could become a topic of discussion once this case is closed.
In the end, Correa's actions will likely serve as baseline for future acts of cyber hacking and breaching in the MLB. As noted earlier, he faces up to five years of imprisonment and a maximum fine of $250,000 per count, as per his plea agreement. He'll pay $275,000 in restitution, and if he has to pay the additional $1,250,000 (fine for all five counts), that's a total of $1,525,000.
McHugh's 2015 salary was $516,700, just for some perspective.
But what is the overall price tag that will be placed on the glut of information Correa illegally accessed?
"That's going to require an expert to talk about that," Eaddy said. "How much time and money went into creating the database? How much effort went into gathering information? Someone will be able to talk about it and put a dollar figure on it. What's the value of it to an MLB organization?"
That was also determined on Friday.
"The value of the information that Correa gained unauthorized access has been set at $1.7 million," Laymance added. "Federal attorneys said they came to the $1.7 million figure based on the Astros' scouting budget and the number of players included in the database."
One can only wonder what the penalty might have been for Correa if he accessed sensitive information prior to the Astros' 2015 draft. The team selected Alex Bregman with the second overall pick ($7,420,100 signing bonus), Kyle Tucker with the fifth overall pick ($4,188,700) and Daz Cameron with the 37th overall pick ($4 million) - totaling $15.6 million.
With the value of players and advanced scouting/analytics skyrocketing by the day, the penalties for such future offenses are only going to become more severe. If we witness another case like this down the road, Correa's potential maximum fine of $1,525,000 might look like chump change.
