Old Passwords, Anonymity Software Suspected in Baseball Hack
The database hacking scandal rocking Major League Baseball raises new questions about how to secure insider information about the algorithms developed by professional sports teams to evaluate prospects and assign values to ballplayers offered or sought in trades.
If the St. Louis Cardinals breached the network and database of the Houston Astros, as has been alleged by federal investigators, it would constitute a federal crime under the Computer Fraud and Abuse Act, officials said this week. It is also believed to be the first such case of corporate espionage in which one professional sports team hacked another team's network.
The names of the Cardinals officials under investigation were not released.
In a statement released on Wednesday (June 17), Cardinals Chairman and CEO William DeWitt said: "We are committed to getting to the bottom of this matter as soon as possible, and if anyone within our organization is determined to be involved in anything inappropriate, they will be held accountable."
Added Cardinals' general manager John Mozeliak: "We are committed to finding out what happened. To the extent we can substantiate that these allegations have merit, we will take appropriate action against anyone involved."
Cardinals' officials also said they learned about the allegations "months ago," launched and internal inquiry and have since cooperated with federal investigators. Major League Baseball also said it was cooperating in the probe.
The New York Times first reported earlier this week that the F.B.I. and the Justice Department are investigating whether Cardinals' front-office officials hacked an Astros' database containing closely held player personnel information. The probe reportedly focuses on an Astros' database dubbed "Ground Control" that was assembled by a former Cardinals' executive, Jeff Luhnow.
Luhnow took with him the "residual intellectual property" in his head used to reconstruct the database containing his considerable baseball knowledge when he was hired as general manager of the Astros in 2011. He also reportedly failed to change the passwords used to access the database.
According to several reports, Cardinals' front-office employees likely used the existing password list to gain access to the Astros' database while also failing in the process to cover their tracks.
The Times report cited law enforcement officials as saying the Cardinals might have suspected Luhnow took proprietary data with him to Houston. The report called Luhnow a "polarizing figure" during his highly successful tenure as a talent evaluator with the Cardinals.
Polarizing or not, Luhnow has a nearly unmatched record of spotting baseball talent. The Cardinals have steadily supplemented their lineup with fresh talent discovered by Luhnow. The team played in three World Series and won two before Luhnow left for the Astros in December 2011.
According to the Times, hackers also may have used Tor anonymity software designed to conceal a user's identity by bouncing communications around networks of servers. Volunteers operate many of the Tor network servers, and federal investigators working backwards to trace the hack may have raided one of more of the servers that led them to the source of the hack.
Yahoo Sports reported after word of the hacking investigation broke that the F.B.I. traced the breach back to a residence in Juniper, Fla., where the Cardinals hold spring training. Several Cardinals employees reportedly used the house, according to the Yahoo Sports account, which cited an unnamed official familiar with the investigation.
If the allegations against the Cardinals organization are proven, security analysts said punishment may depend on how many employees were involved. "Some may be expecting the [Major League Baseball] to consider punishment against the Cardinals but if this is a single person acting on his/her own then the criminal system is the most appropriate method," said Mario Balakgie of World Wide Technology Inc.
The lesson to be drawn from the hacking incident, Balakgie added, is that "every business has confidential and/or sensitive data within their environment that can be subject to misuse by an insider or external hack. Companies should [assume] that confidential and highly sensitive data is subject to some level of risk of unwanted exposure and needs to be appropriately protected."
Changing passwords and two-step, or multi-factor, authentication are obvious steps.
Clearly, the Astros failed to heed these security warnings. On the other hand, the hacking allegations were unexpected in a sport that tolerates stolen bases and stolen signs but will now have to determine what action to take in the unprecedented and troubling case of stolen proprietary data.
