Cards Being Investigated by the FBI for Astros Hack

As a IT professional I read about stories all the time about employees leaving with company assets or about events of high money corporate espionage.  Also as a IT Architect I am asked to design new complex computing environments for various purposes from cloud computing solutions to simple internal applications sending data back an forth.  I have never thought about a case of corporate espionage hitting the sports realm when there is a report of the FBI investigating claims that the St. Louis Cardinals hacked into the Houston Astros’ organization and stole various scouting reports, player information and recorded notes of their employees on meetings revolving around various player issues or information.

Report — FBI investigating St. Louis Cardinals for hacking Houston Astros’ database

Hacking is accomplished by using known passwords, these can be accomplished by some methods and it is simpler than you may think.  Some examples of hacking methods are:

• Attempting to use credentials of default accounts for various computing platforms that are not changed or removed after systems have been set up.
• Somehow spyware or other clandestine appliances are installed at the target location.
• An employee leaves an organization for another and their accounts are still active.
• Someone leaves a device logged on and fails to secure that device or log out when they ignore it for something else.
• Or someone leaves the employ of one organization to another, but uses the same account credential information that he had at his previous employ.

The method that was used was the last option in this list and is the most avoidable.  What happened was Jeff Luhnow, who worked in the St. Louis Cardinal front office from 2003-2011 before he left to become the General Manager of the Houston Astros.  What someone did who may or may not be in the employ of the St. Louis Cardinals used a set of user accounts that Mr. Luhnow used in St. Louis to access Houston’s company computer network and its resources.  A few questions immediately come to mind:

• Why did the IT personnel in the Cardinals organization feel the need to copy and maintain a list of user credentials for their employees, even those who have not been in their employ for the last four years?
• Who knew about these lists and activities around maintaining them?
• Who decided to hack the Astros?
• What were the Cardinals looking for?
• Was this done by a regular Cardinals employee or a contractor?

Now some may say Houston had it coming since its GM did not use some computing common sense and change his passwords when he went to the Astros organization, but the law apparently does not work that way.  Hacking by definition is the unauthorized access to a computing environment either just to look around, cause harm, change it’s contents or steal it’s information.  This is the IT equivalent to breaking and entering, if you walk into your neighbor’s house uninvited, even with the front door wide open you are committing a crime.

How did the Astros come up with the claim that the Cardinals performed this hack?  It is a simple thing to trace down when you know it’s happening.  Nearly every organization’s network has a pseudo-public portal for their employees to access organization resources, these portals require some type of credential to access these resources.  When the credential is passed to the portal there is a log that copies down the public internet protocol (IP) address that accessed this portal and what user credential was used to access and what time of day this occurred.  This IP address is a public registered address and it is assigned to a internet provider or one that is purchased from an organization like the Cardinals, it is needed to get on to the internet, without one you do not get on the internet.  But this is just the logging getting in the front door, but there are various application logs that capture what user access which file or program at any point in time.

How did the Astros figure out they were hacked?  Only they will be able to tell us, but usually the alarms go up when you have a user account that is generating more network traffic than normal, outside of email and some basic reports he may read what does a GM actually use their credentials for?  The GM does no programming, does no simple data entry tasks, does not write contracts language, so what does a GM do?  I don’t know exactly, but in any form of management you read reports from your underlings, email and maybe some additional research.  All of this is fairly light in the computing and network requirements and most of the resources needed are outside of the organization.  So you have a hacker that literally came in at an obscure time and went to look for data to exploit.  Also there may be events that occur that may it impossible for him to access these resources at specific times because he was doing something else at the same time.  You cannot be in two places at once, even in the computing world.

If this were true what would happen?

From MLB the Cardinals are going to get hammered by the league.  Since this is unprecedented like the Black Sox scandal they should make the consequences so harsh that no one would even think of it again.  I would expect epic fines, draft picks and possible banishment depending on who knew and used what.

From the criminal courts the organization would look at paying fines like are done in any corporate espionage since this is basically what it is in its purist form.  Also if anyone in the higher organization had direct input or knowledge this was going on would be looking at some fines and or jail time at club Fed.  Even if the Cardinals did nothing with the information, the fact it was done by an employee (regular employee or contractor) the fact they had the data may be a problem for them.

In the civil court side the Cards may get sued by the Astros depending on what the MLB bylaws allow, they could also be sued by Mr. Luhnow for the invasion of his person and privacy.

If this was not true what would happen?

Then the Cardinals would be in the clear, but with the stain of an investigation.  But expect MLB define what rules would the clubs be in violation of and what fines and other penalties would be involved when something like this occurs.  If nothing happens expect the league to bring this up during its next league meetings.

Regardless of the results in the investigation I would expect all clubs review their IT and physical security policies including forcing changing of passwords on a periodic basis and other simple adjustments to prevent this from happening again.  Also I would expect MLB to set some mandatory training on organizational security and ethics to try to make sure the repercussions are know on what would happen if this happens again.

This is a shame because the Cards are having a fantastic season and now someone needs to deal with this BS to tarnish what they have done thus far and calls its previous success into question. While it is early in the investigative process and there will be more to follow. At worse it shows a lack of progress and the new age of employee training on security and ethics.  Most other organizations no matter the industry each year do annual training in security and other codes of conduct.  Usually this is required for their liability insurance protecting the organization in case of negative judgements against that organization.  But baseball has caught up to the NFL when it comes to scandal on organization spying or theft or other stupid acts that teams do against each other.