The now-infamous breached Houston Astros database sounds like a classic case of what security professionals call Shadow IT: a project that the business needs, done without adequate involvement from security and, most likely, from the IT department as well.
These kinds of things happen a lot. A go-getter implements it, cutting through red tape to get a useful project done in record time, and it’s great until something goes wrong.
In this case, “wrong” meant a competitor got into the database and stole trade secrets.
The reason it was built the way it was, most likely, was because securing it would be harder than building it in the first place. I am assuming the Astros built it in the cloud, or left it accessible to the full Internet. The database isn’t nearly as useful if it can’t be accessed from the dugout. Scouts need to be able to update it from the field, and coaches and the manager need to be able to consult it as they make decisions during the course of a game. If an opposing player is nursing a hand injury, you’ll want to pitch him inside, for example.
The first thing I would have done is make it do two-factor authentication. When logging in, it would send a text message to your phone, which you would then enter before getting in, much like Facebook can be configured to do.
The next thing I would have done is have a penetration testing firm test the login pages, at the very least. If you’re not careful, you can code pages in such a way that someone could dump the database from a login prompt.
Sadly, corporate espionage is a thing, and it’s not limited to places like Russia and China and North Korea. Baseball is supposed to be above this, but all it takes is one rogue employee, and hackers for hire aren’t that hard to find if the rogue employee doesn’t have mad SQL injection skilz.
We may be at the point where Major League Baseball teams need corporate IT security just like large corporations have. Fortunately, for the cost of their utility infielder, they could get a couple of good ones. Or for the cost of a good left-handed relief pitcher, they could have a team to protect their valuable scouting reports and other intelligence.