Two high-profile— but very different—data breaches that made headlines in recent days exemplify the growing struggle to protect sensitive data and why it’s so important to do so.
The St. Louis Cardinals allegedly stole sensitive information from another baseball team, the Houston Astros, and are now under investigation by the FBI. Meanwhile, the director of the Office of Personnel Management took heat from congressional Democrats and Republicans last week after news broke that Chinese hackers, suspected of compromising records for millions of federal workers, also may have stolen government employees’ applications for security clearances.
The case regarding the Cardinals, one of baseball’s most storied franchises, appears to be a somewhat low-tech data breach. Law enforcement officials, speaking anonymously, told the New York Times that Cardinals employees used passwords from a former employee, Jeff Luhnow, now general manager of the Astros, to gain access to that team’s network.
Considered one of baseball’s most innovative thinkers, Luhnow helped build one of baseball’s top farm systems before leaving St. Louis for Houston in 2011. Last year, documents from the Astros’ evaluation database, named Ground Control, were leaked, revealing nearly a year’s worth of internal player evaluations. The sports site Deadspin may have said it best at the time, speaking of Ground Control:
It is by all accounts a marvel, an easy-to-use interface giving executives instant access to player statistics, video, and communications with other front offices around baseball. All it needs, apparently, is a little better password protection.
Humor aside, this is a situation where companies should require employees to use a different password to gain access to company proprietary data. The biggest takeaway is: Organizations should identify crown jewels that are especially important to protect. Given the importance of Ground Control to the Astros —in a baseball world where scouting and player development are more important than ever —it’s hard to believe anything within that organization needed more protecting.
The Cardinals, meanwhile, could face various charges, including violations of the Computer Fraud and Abuse Act or possibly the Uniform Trade Secrets Act. The Times reported that the attack would be “the first known case of corporate espionage in which a professional sports team hacked the network of another team.” Illegal intrusions of companies’ networks are common, but they usually come from hackers in countries like Russia and China, the Times said.
Chinese hackers are also believed to be at the core of the OPM scandal, a claim China disputes. The attack, which authorities say was conducted by the same party that attacked Anthem Insurance earlier this year, is believed to have affected current and former employees from nearly every government agency. CNN spoke with experts who said the goal of the attack was to build a database of federal employees to set up future “insider” attacks “using the stolen personal information to fool and impersonate government workers.” By revealing who has security clearances and at what level, the Chinese may now be able to identify, expose and blackmail U.S. government officials around the world, the experts added.
The Anthem breach was said to have affected more than 78 million people, about 10 percent of whom weren’t even Anthem customers. It’s worth wondering how much liability the Federal Trade Commission could place on a company like Anthem, given that the federal government apparently fell victim to the same hackers.
Bottom line: Any organization that stores a lot of data —particularly sensitive data —can be a target.