The lights going on and off within the head of former St. Louis Cardinals scouting director Chris Correa were once probably flickering more actively than the lights inside of The Staples Center just before the Los Angeles Lakers take to the hardwood floors behind the sounds of The Who’s “Baba O’Riley.” That song, the chorus of which is, “It’s only teenage wasteland,” has been echoed by many music fans over the last four decades. It’s also something Mr. Correa ought to have learned a bit more about before hacking into the Houston Astros’ data systems during the last several years, a crime to which Mr. Correa has now pleaded guilty. In case Correa forgot, his actions are not at the sophistication level, nor does he have the creative liberties, of the Golden Globe winning show, “Mr. Robot,” which detailed the exploits of a group of disillusioned hackers with Robin Hood-like motivations.
Instead, Mr. Correa lives like the rest of society, and what he did was illegal. He has now formally copped a plea to the illegal systems and e-mail hacking of managerial level members of the Cardinals’ rival franchise, the Houston Astros, including the Astros’ General Manager, Jeff Lunhow. Correa faces at least five criminal counts, each punishable by a hefty fine and prison term.
Oddly, Correa denied any wrongdoing whatsoever when first terminated by the Cardinals organization, which makes the story even murkier. The recent plea agreement confirms his involvement in some kind of scheme to steal scouting and draft information that might give the Cardinals a competitive edge against their rivals down in southeast Texas. Was Correa acting as a rogue employee? Hard to say. Were his actions illegal? Absolutely.
Does Correa deserve maximum punishment? Probably not, especially in light of the sports scandals regarding doping, domestic abuse and deflated footballs that have plagued American sports of late. Does he deserve punishment sufficient to remind him that he’s not living in a “Teenage Wasteland,” the term so appropriately coined by the band The Who? Certainly.
Correa may have wished he were just like Peter Brand, the General Manager working under Billy Beane in the Oakland Athletics organization. Brand facilitated the statistical analysis for Billy Beane and the A’s in what has now become known as “Moneyball” thanks to a well-written book by Michael Lewis, and a movie made famous by Brad Pitt and Jonah Hill. Correa’s behavior, however, does not resemble the creative analytic accomplishments by the Athletics during those years when they revamped the techniques of MLB scouting through the use of statistics. What Correa did rises to trade secret theft and possibly corporate espionage. Correa worked his way up the ranks by stealing information that belonged to another MLB franchise, not through careful analysis of scouting information that was widely (and legally) available.
Correa opened a Pandora’s Box that professional sports has, in large part, otherwise avoided. There have been privacy issues related to recent stories surrounding Tom Brady and Jason Pierre-Paul in the NFL, but nothing rising to the level of the theft of proprietary and confidential information. Especially not a scandal involving two rival teams, not that the rivalry matters in a legal sense in any event.
Correa’s admission that he is a criminal still leaves open the subject of sentencing and punishment, which is set to be determined on April 11 of this year. Each count of wrongdoing by Correa, and there are five of them, carries up to a two hundred and fifty thousand dollar fine and up to five years in prison. It is unlikely that Correa will be sentenced separately for each count, meaning his monetary and jail penalty will likely be less than the aggregate one million, two hundred and fifty thousand dollars and twenty five years in prison. More interesting perhaps is what will happen going forward with respect to not just the Cardinals and Astros, but Major League Baseball in general.
It’s unclear whether the U.S. Attorney may pursue entity-level charges against the Cardinals organization. It’s also unclear what MLB commissioner Rob Manfred intends to do to discipline either or both of these organizations. The Cardinals could be fined or stripped of draft picks by the MLB; league punishment remains an open issue.
But put simply, the ease with which Correa apparently gained access to the Astros’ systems is unacceptable. I have long preached not just that sports would be a target of hacking sooner rather than later, which has proven true even before this recent development in the MLB, but now more than ever, that it is unquestionably the responsibility of leagues and teams alike to institute mandatory protocols aimed at mitigating the potential fallout from any sort of hacking scandal. This activity simply cannot continue, and there must be guidelines by which leagues and teams must abide, just as there are in most every other business industry.
The intra-league criminality of the Cardinals and Astros scandal is unfortunate for the sport. It doesn’t belong anywhere in the ballpark, on a field, in a stadium, on a court or any other platform where professional sports are played. But we are where we are now, and that is past the point of hoping sports leagues, teams, etc. don’t become a target. They are all now potential targets more than ever; the flag’s been hoisted and is waving red. There are vulnerabilities in the world of sports with respect to privacy and cybersecurity that must be addressed by all parties involved.
Correa’s actions may not have been the best way for the issue to come to a head, but his plea and accompanying admissions also create an opportunity for all other actors in sports to take the reins and rectify any shortcomings in order to protect leagues, teams, athletes and consumers alike.
I hope that Rob Manfred, as commissioner of the MLB, takes appropriate action, whether that be education to each and every franchise, or otherwise. This is something that shouldn’t happen again in baseball or any other sport. To that end, I am confident that the leaders of other professional sports will also endeavor to understand the magnitude of events like this one, the complete details of which we don’t fully and may never understand, and that those leaders will strive to protect the integrity of America’s sports culture to the maximal degree. Some things are too sacred to America, and frankly, to the world.
From a technical and legal perspective, there are various measures that responsible parties can implement to facilitate mitigating the risk of privacy breaches. To name a few:
- limiting what, if any, information may be stored in any cloud-based platform absent thorough checks and balances of adequate security measures in place;
- appropriate encryption standards;
- mandatory password protection of all devices and, in some cases, requiring multiple passwords for information access (e.g., RSA Tokens);
- password variance across different devices for individual users and across company server access;
- mandatory periodic changing of passwords on both enterprise and individual user levels;
- requiring multiple layers of user authentication;
- prohibitions related to automatic or manual linking of accounts (e.g., social media);
- limitations on automated and manual data backup to local devices such as phones, tablets or any other device;
- utilizing software to individualize any transmission of sensitive data (e.g., transmission of consumer credit card information when buying tickets and merchandise);
- requiring IT to re-route and/or mask sensitive data that is transmitted through the Internet; and
- allocating responsibility to remain up-to-date with local, state and federal regulations and evolving legal precedent regarding privacy and cybersecurity.
One of the problems is that there has been a resistance to the fact, or at least a lack of recognition, that times have changed. The sports sector must accept evolution and adapt as necessary. The sports world can only survive with the support of its players, personnel and most of all, its fans. And whether those fans are heading out to the stadium, ballpark, rink, track or field to cheer on their favorite team, buying jerseys or other merchandise, or playing fantasy sports online, their consumption of sports maintains the profitability and sustainability of the industry. More often than not, fans are passing private and often very sensitive information over the internet and/or by swiping a credit card. It will pay dividends down the road for every actor in the sports world to take strides and ensure protective security measures now.
There is a bigger picture here, just as there was for other industries that have seen cyberattacks on the rise in recent times. The sports industry is now officially on notice. In reality has been on notice for quite some time now given the pervasiveness of hacking and other privacy breaches in the last several years.
Whether you like sports or not is irrelevant, but it is relevant to recognize the ominous clouds that have now been cast over the sports world. If action isn’t taken by the teams, the leagues and by the committees that control those leagues, consumers are likely next up to be victims.
The last thing anyone wants is for the timeless phrase to change, and for the reality to become, “It doesn’t matter if you build it, they won’t come.” This thematic never needs to, or should, become a reality.