Think there’s no hacking in baseball? Just like Tom Hanks’s character in A League of Their Own was wrong about there being “no crying in baseball”, it would be wrong to believe there is no hacking in baseball.
Baseball’s opening day is just around the corner. While this offseason included the usual free agent signings (thank you, New York Mets for re-signing Yoenis Cespedes), trades, and contract extensions, it also included news about what may have been the first known case of computer hacking in baseball: the St. Louis Cardinals’ former Director of Baseball Development hacked the Houston Astros. In this article, I’ll cover some of the cybersecurity lessons that all organizations, Major League Baseball or otherwise, can learn from what happened.
Here’s the nutshell of what happened:
From 2009 to 2015, Christopher Correa worked for the Cardinals, and in 2013 became the team’s Director of Baseball Development. This job entailed giving analytical support to the team– think Moneyball-type stuff, where teams measure and analyze player statistics and performances to look for advantages. In 2011, Cardinals’ executive Jeff Luhnow left the team and joined the Astros as its General Manager. When Luhnow was leaving the Cardinals, he had to turn over his team-owned laptop, as well as the password, to Correa.
The Astros used a private, password-protected online database that they named “Ground Control” to house its baseball development information. This included confidential and proprietary scouting information and rankings about every player eligible for the draft, current MLB players, medical and injury reports, trade discussions and negotiations, etc.
Beginning in 2013, Correa used a variation of Luhnow’s old Cardinals password to access, view, and download key parts of the Astros’ Ground Control database, as well as to access Luhnow’s Astros email account. According to the Astros, their system was hacked at least 60 times on 35 different dates over the course of 15 months. As is often the case when an organization is hacked, the Astros were not aware of the hacks for a long time, in this case about a year. The Astros finally learned about it when information from the Ground Control database was published in the media.
The Astros quickly reacted and sent an internal email to employees notifying them that the URL for Ground Control had been changed, and that employees would need to set new passwords. The email also included a new temporary default password for Ground Control. Unfortunately for the Astros, Correa had been accessing not only Ground Control but also the Astros’ email, and thus learned about the new default password. Correa was thus able to access Ground Control for several more months.
In January of 2016, Correa pleaded guilty to five counts of violating the Computer Fraud and Abuse Act (CFAA), which is the federal anti-hacking statute that prohibits intentionally accessing a computer without authorization or exceeding authorized access, and thereby obtaining information. In July of 2016, Correa was sentenced to 46 months in prison, two years of supervised release, and payment of $279,038.65 in restitution. The consequences didn’t end there: in January of 2017, Major League Baseball issued its own discipline, and gave the Cardinals’ first two picks of the 2017 draft to the Astros, required the Cardinals to pay the Astros $2 million, and placed Correa on MLB’s permanently ineligible list.
Any organization that has data (proprietary, trade secret, consumer, etc.) can learn lessons from this story. They include:
- Not all hacks are committed via sophisticated cybercrime techniques. Here, Correa essentially hacked the Astros by using a password he knew or could easily guess, despite the fact that he knew he was not authorized to do so. This was a simple method, but with the same intent and outcome as any other hack, and constituted a violation the CFAA just like a more sophisticated attack would have.
- Require strong and unique passwords. Don’t use the same passwords for multiple accounts, or even derivatives of other passwords, especially when you know that a password has been compromised. For example, if Luhnow’s password with the Cardinals had been Baseball2011!, changing it to something like Baseball13! after he joined Astros wouldn’t have been a good choice because it would be too easy to guess if someone obtained the old Cardinals password. Here, of course, Luhnow had given his old password to Correa, and it was easy for Correa to guess the new passwords for both Ground Control and Luhnow’s email account. While the password examples above were good in the sense that they had both upper and lower case letters, numbers, and a special character, they were bad because they were not unique.
- Require frequent password changes. Here, even if Correa was able to guess Luhnow’s password once, if Luhnow had been required to change the password to a strong and unique password, the damage would have been limited and Correa wouldn’t have been able to access the Astros’ confidential data for as long as he did.
- Configure password-protected accounts to lock after a certain number of failed log-on attempts, perhaps five. Here, while we don’t know how many failed attempts Correa may have had, it is possible that such a configuration could have kept him out of the Astros’ system and alerted the team about a potential problem.
- Use two-factor authentication. Two-factor authentication requires input of a second “factor” beyond a password. The way this usually works is after a password is entered, a text message with a six-digit code is sent to the account owner’s cell phone, and that code must be entered after the password in order to access the account. Here, even if Correa had passwords for Luhnow’s Ground Control access or email account, Correa would have also needed Luhnow’s cell phone to gain access.
- Assume the worst, and hope for the best. When the Astros’ learned from the media that Ground Control had been compromised, they should have assumed that its other systems, such as email, had been compromised as well. While it was good that the Astros acted quickly to change the URL for Ground Control and inform employees they needed to change their passwords, they should not have used the email system to inform employees of the new default password. Here, Correa had access to the Astros’ email system and used the default password himself for months. A better way of communicating here would have been to do so in person or by phone.
- Limit the use of default passwords. If the Astros had made sure that employees actually changed their passwords rather than use the default, Correa’s access would have been stopped months earlier.
- Use cybersecurity software that can keep track of activity on the organization’s network and monitor incoming and outgoing traffic for suspicious activity or signs of a data breach. Here, for example, Correa was not only accessing the Astros’ information, but also downloading it. If the Astros’ had been properly logging and monitoring the network, the increased network activity should have at least raised a red flag. And, Correa was sometimes accessing the Astros’ network from locations where there were no Astros executives. For example, he sometimes accessed the system from St. Louis or Jupiter, Florida (Jupiter is the home of the Cardinals’ spring training facilities, a two-hour drive from the Astros’ spring training facility in Kissimmee, Florida). Again, this was another red flag that should have caused someone in the Astros’ organization to say “Houston, we have a problem.” Note: that’s two Tom Hanks movie lines from two different movies in the same blog post!
There is no such thing as perfect cybersecurity. However, implementing the lessons learned from the Astros’ breach will help reduce the odds of a breach occurring, and also limit the damage of one when it does occur. I’m looking forward to the baseball season starting. Hopefully the only things stolen will be bases, and not information.