Data Breach

Baseball Hacking Case Ends with Prison

Unusual Incident Mixed Cyberespionage with Sports
Baseball Hacking Case Ends with Prison

A former St. Louis Cardinals scouting director has been sentenced to 46 months in federal prison for illegally peeking at a player-drafting database for the Houston Astros - a hefty term for a distinctly unique hacking case.

See Also: How to Scale Your Vendor Risk Management Program

Christopher Correa, 36, was accused of illegally accessing Ground Control, a cloud-based database that held the Houston team's most critical observations on potential players, and an Astros email account. He pleaded guilty in January in federal court in Houston to five counts of unauthorized access to a protected computer.

The case is unique because of the stiff sentence Correa received. It is also likely the first ever cyber espionage prosecution relating to sports, says Edward McAndrew, a former federal cybercrime prosecutor and now partner with law firm Ballard Spahr.

"To see [cyberespionage] between two professional sports franchises in a way that was meant to enable one to get a competitive advantage is unparalleled in terms of its prosecution," McAndrew says.

The case also highlights serious errors made by the Houston Astros in managing Ground Control, which was breached by separate attackers while Correa was snooping for player scoops.

Harsh Sentence?

A first-time cyber offender, Correa faced up to five years in prison on each count. Federal judges rarely stack counts when sentencing, so the effectual maximum that Correa could have faced was 60 months. His 46-month sentence is "significant" and shows intent by the judge to deter others, McAndrew says.

Defendants have typically received much lower sentences in similar cases, indicating U.S. District Judge Lynn N. Hughes aimed for a deterrent effect, McAndrew says.

"Sending a message is, in fact, something that judges are supposed to consider when they impose criminal sentences," McAndrew says. "And because of the very unique nature of this particular crime and this particular sentence, I think the judge was certainly doing that here."

Correa was also ordered to pay the Astros $279,038 in restitution. The team lost an estimated $1.7 million as a result of the intrusions.

Correa received a slightly shorter sentence than that of Su Bin, a 51-year-old Chinese businessman who pleaded guilty to conspiring to hack the computer networks of U.S. defense contractors, including Boeing. Bin was sentenced on July 14 to 48 months in federal prison and fined $10,000, according to Reuters.

"If one wanted to heckle this - while Mr. Correa's plea bargain is within the ballpark - one would say he should get more than a two-month discount off of a military-style hack," says Ira Rothken, a technology attorney based in Novato, Calif.

Ground Control

The Houston Astros set up Ground Control in 2012 as part of a move away from pen-and-paper notes. But the team struck out due to poor information security practices.

Ground Control was a password-protected, internet-facing web service containing detailed notes on players that the Astros was scouting, which could have given clues as to which players the team might draft.

Correa, the Cardinals' director of baseball development, in December 2011 was given a laptop of a team employee who moved to the Astros. That employee, referred to as Victim A, also turned over his password to Correa, according to a court document.

Victim A then used a similar password for his Astros email and Ground Control accounts. Correa discovered the variation and accessed both accounts.

In a January hearing, Assistant U.S. Attorney Michael Chu described Victim A's password as "based on the name of a player who was scrawny and who would not have been thought of to succeed in the major leagues, but through effort and determination he succeeded anyway."

"So this user of the password just liked that name, so he just kept on using that name over the years," Chu said, according to a court transcript.

Scouting for Data

In his first intrusion in March 2013, Correa downloaded an Excel file that contained the Astros' scouting list and how the players were ranked.

Three months later, he accessed Victim A's Ground Control account, filtering results to only show players that the Astros were considering who had not been drafted yet.

As Correa was poking around, the Astros faced a larger problem. In March 2014, the Houston Chronicle ran an in-depth story about Ground Control, and unknown attackers accessed the database. The team then changed the database's website address, and Ground Control users were also prompted to change their passwords.

That's when the Astros made a critical mistake. Fearing that some users would not change their passwords fast enough, it reset all Ground Control accounts to a single default password and then emailed that password to all users.

Correa kept his access, as he knew the new URL for Ground Control and saw the default password emailed to Victim A. He then used the default password to open the Ground Control account for Victim B.

The bungled security refresh by the Astros, which came too late, proved to be costly. In June 2014, about 10 months' worth of information from Ground Control was leaked online, Deadspin reported at the time. The Astros undertook a security review, and Major League Baseball contacted the FBI.

When he pleaded guilty on Jan. 8, Correa admitted to the breach, saying that he "trespassed the Astros' resources based on suspicions that they had misappropriated proprietary work from myself and my colleagues."

Judge Hughes then asked Correa, "So you broke in their house to find out if they were stealing your stuff?"

"Stupid, I know," Correa responded.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network