Last week news broke that the FBI is investigating whether Major League Baseball’s St. Louis Cardinals hacked into the Houston Astros computer system and accessed the Astros proprietary business information, including things like trade assessments, statistical analysis and scouting reports. The scandal has gained national attention because it’s the stuff that movies are made of – a well-respected 11-time World Series Championship winning ball club accused of corporate espionage, stealing secrets from its underdog no-championship-ring-having rivals.
It is believed that someone(s) from the Cardinals’ front office, who specializes in statistical analysis and computer programming, hacked into the Astros’ computer system from a residence shared by a handful of Cardinals’ personnel in Juniper, Florida, during spring training in 2014.
The most prominent theory is that the hacker logged into the Astros’ system as either general manager Jeff Luhnow or Sig Mejdal, the director of decision sciences, both of whom used to be part of the Cardinals organization. Many speculate that the hacker simply guessed Luhnow or Mejdal’s password based on the passwords they used when they were with the Cardinals. Note to self – take your IT people seriously when they scold you for your weak password.
Right now, the feds are running the investigation and there are still many unanswered questions, like: Who did the actual hacking? What, if anything, did the Cardinals’ higher-up executives know about the hacking? What information was accessed? How did the Cardinals use the stolen information, if at all?
After the dust settles, the bigger question to be answered is if the Cardinals did in fact illegally access the Astros’ computer system, how should they be punished?
There can be criminal penalties, maybe. Under the Computer Fraud and Abuse Act, Section (a)(4), anyone who “knowingly. . . accesses a protected computer without authorization” in order to “obtain anything of value” can be held criminally liable for hacking. Similarly, Section (a)(5)(B) of the CFAA bars “intentionally access[ing] a protected computer without authorization” that results in damage to the computer’s owner. Violations of these provisions can lead to jail time up to five years and monetary fines, per offense (meaning each time the password was entered is a separate offense). Additionally, under the CFAA, the Astros could pursue a civil action against the Cardinals.
The problem is that the CFAA is incredibly vague with respect to what constitutes “damage” to the computer owner. It will be very difficult to quantify how the Astros were harmed and if the damage is enough to justify criminal penalties or civil liability.
Moreover, there is some criticism that the FBI is involved at all. Many people think that the government’s resources and federal hacking laws should be saved for incidences that are bigger than professional sports teams stealing statistics from one another and that it is the MLB that should deal with this issue.
There is no question that the MLB will get involved, it’s just a matter of when and how. Currently, the league is stepping aside to allow the FBI to complete its investigation. But it is highly unlikely that the
MLB will waive its disciplinary discretion altogether. We have seen how other professional leagues, like the NFL and the U.S. Soccer Federation, have handled disciplining a variety of misconduct off the field. How the MLB responds here will be exciting.
The alleged hacking in this case is just a microcosm of what corporate electronic espionage can look like. Guessing passwords based on old ones is unsophisticated compared to the tools that professional hackers use, but the effect is similar to larger scale hacking jobs. Here, the breach was discovered when some of the secret information was posted on the internet and picked up by the FBI, not by any security alert put in place by the Astros, and like what happens all too often, the breach was not discovered until almost one year later.
Whether it’s baseball scouting reports or top secret scientific product formulas, the business world must stay vigilant in protecting its proprietary business information.