Minor-League hacking in the MLB

So, about a year ago, the Houston Astros announced their internal player database had been breached. This week, more details emerged, pointing right at the St. Louis Cardinals.

It wasn’t a terribly sophisticated attack. You knew I’d write about this, but I’ll explore it from an IT security perspective more than from a baseball perspective.

First, some background is in order: Jeff Lunhow, the Astros’ general manager, is a former Cardinals employee. While with the Cardinals, Lunhow built a database of player evaluations. The Astros hired him in 2011 to do for the Astros what he did for the Cardinals. That’s a fairly common occurrence in baseball–struggling teams will hire talent from successful teams and give them a chance to try to replicate their success.

From what I can gather, Lunhow left behind some sort of a password list. This makes some sense, given that he kept his records electronically. But that also created a problem.

The current theory–and at this point it’s all theory, as nobody has been tried and convicted in a court of law at this point–is that when Lunhow built his database for the Astros, at least one of his former Cardinals coworkers was able to figure out where the database was stored on the Internet, and Lunhow either reused his password, or used a similar enough password that the former coworker was able to figure out what it was. Let’s say the password Lunhow used when he was working with the Cardinals was Cardinals12345. Then there’s a pretty good chance his new password would be Astros12345, or maybe Astros123456789.

What the FBI is saying is that it’s clear the Astros database was accessed from the home of a Cardinals employee. All that takes is looking at the IP addresses of the computers accessing the database. Chances are there were tons of addresses in Houston, and one address that didn’t fit the pattern. Then an investigator checked that address, saw it was from the Jupiter, Florida, area where the Cardinals hold spring training, then contacted either the relevant ISP with the address, date, and time, and then the ISP told them the name of the person using it. It’s the same technique that copyright holders use to identify people illegally downloading movies or music without paying for them.

It’s basically the equivalent of a bank robber using his own car and not covering up the license plate, and that’s why I say this wasn’t a sophisticated attack.

However, it is a serious matter, and I don’t know how it’s going to be handled. We could be talking fines, or lawsuits, or, potentially we could be talking prison time.

But this isn’t uncharted territory. Corporations fight this kind of stuff off all the time. Sometimes they get caught and sometimes they don’t. But it seems that having at least one really high-end security professional on staff would be a good idea for each Major League team at this point, if they don’t already have one, to make sure their hard-won scouting data doesn’t walk off, like it did for the Astros. Or better yet, get at least one defender and one investigator. That way, if something does go sideways, the team is prepared.

If you found this post informative or helpful, please share it!
%d bloggers like this: