The Astros Hack Won’t Be the Last in Sports

Criminal charges have finally come down in the case regarding an employee of the St. Louis Cardinals illegally accessing computers belonging to the Houston Astros. Chris Correa has plead guilty and could face up to 25 years in prison for his involvement in hacking the Astros’ database. It’s a move that will hopefully deter professional sports teams from participating in this kind of behavior in the future, but one that certainly won’t guarantee it. On the contrary, these kinds of security breaches are now commonplace among corporations, and there doesn’t seem to be any discernible light at the end of the tunnel. Provisions can be made, certainly, but there’s no guaranteeing that any professional sports teams’ internal documents and information will be safe from hackers looking to make a name for themselves, or even from rival teams.

In his (Insider) piece for ESPN, Jim Bowden opines on some possible punishments for the Cardinals in the wake of the scandal. His last idea has good intentions, though the implementation is basically impossible:

New computer requirements: Manfred should put together a task force that would make sure all 30 teams have sufficient security for their baseball operations systems so that hacking is nearly impossible. These systems can either be checked on a regular basis or be monitored from a central location (i.e. the commissioner’s office).

I won’t berate Mr. Bowden on his nativity here. An understanding of cybersecurity doesn’t really fall under his job description. But this suggestion is both impossible and unfruitful. There simply is no way for an organization to absolutely protect itself against network attacks. We’ve seen hacks against the Office of Personnel Management, Patreon, T-Mobile, Ashley Madison, Hilton, and many other companies in 2015 alone. The attack vectors grow bigger and the number of threats gain in numbers every day. Most of what is considered cybersecurity these days is simply addressing known exploits. There are a varying degree of measures that can be taken against unknown exploits, but they are all difficult and the best require big-time money. A league-mandated policy on cybersecurity won’t help that. In fact, if teams are looking to protect themselves against corporate espionage, mandates are the last thing they want.

Let’s play this out a little. Say Team A wants to find out who Team B is planning on drafting. Team B has taken every (hypothetical) precaution laid out for them by the league. The problem is, Team A already knows all of these procedures. They know exactly which exploit methods to avoid and which are still left open. The road map is already drawn up. All they need to do is follow it.

It’s true that something like what Mr. Bowden is suggesting would hopefully ensure that teams act a little smarter. In fact, the exploit used against Houston was a very low-level attack. Correa essentially guessed an Astros employees’ password based on what that employee used as a password when he was previously with St. Louis. This really isn’t hacking, and it’s barely social engineering. Some guidelines from the league (who will hopefully consult with some professional security experts) could help prevent against these kinds of mishaps in the future. But if a team really wanted to get their hands on some classified information (and were willing to take the risk), it wouldn’t be all that difficult.

The FBI charges will most likely ensure that teams won’t try any shenanigans themselves, and certainly not from company computers on company networks. This does not mean, however, that rival teams or any other ne’er-do-wells couldn’t use outside sources to try and dig up secrets.

I don’t want to get too far into the nitty gritty of how the hacking community works, but suffice it to say that there are communities out there that are certainly willing to perform this type of work for a fee. Potential recruits can be found on certain IRC channels or Tor (a pseudo-anonymous network where web traffic is masked) sites and paid in Bitcoin — a cryptographic digital currency that makes transactions hard to trace. There are hackers out there for hire, to be certain, which means that teams wouldn’t even have to get their hands dirty.

And even if teams were to take measures into securing their servers and networks, there are certainly other ways security breaches can happen. An attacker could find an exploit in an employee’s home router and monitor their traffic from a car parked near their house. Man-in-the-middle attacks could be employed from a coffee shop a scout or executive visits.

And let us not forget social engineering, perhaps the most common way breaches happen nowadays. An attacker can call people around the front office posing as Todd from IT, telling people that the mail server failed and that they need their password to recreate their profile. People are still all-too willing to provide passwords and other sensitive data over the phone. Spoofing emails can be sent out with links to legit-looking websites. It usually only takes one person to give up their login information or click a link for an attacker to gain access to a network. People rarely change their passwords — and if they do, it’s often in predictable ways.

These are threats that all corporations face, not just sports teams. But it goes to show that no team is 100% safe, no matter what their respective league does or doesn’t do. In our age of prediction models and player evaluations and biometric sensors that track performance data, there is certainly a lot of juicy information that teams hold dear, and wouldn’t want other teams to see. The problem is that this information is stored on computers, and most computers are on networks that face the public in one way or another.

Is it a little scary? Certainly. Is it avoidable? Not entirely, though a hefty dose of firewall provisions, complex-password requirements, and employee training can go a long way to help prevent most attacks. But there’s no silver bullet that the league or anyone else can provide to ensure that what happened to the Astros won’t happen to anyone else. It’s part of the cost of doing business in our connected world, and probably will be forever.

(Image via Christian Colen)

David G. Temple is the Managing Editor of TechGraphs and a contributor to FanGraphs, NotGraphs and The Hardball Times. He hosts the award-eligible podcast Stealing Home. Dayn Perry once called him a "Bible Made of Lasers." Follow him on Twitter @davidgtemple.

Newest Most Voted
Inline Feedbacks
View all comments
8 years ago

Did you mean naivete where it says “nativity”? or that he is not…a digital native?

8 years ago
Reply to  hsh

Also this is a fantastic article! Interested to see where the lines get drawn on this…

Scott M
8 years ago

Great article: I think you laid out the security issues very well. I actually work for a security company, and agree with your advice to MLB: hire security experts and have them do their thing.

Two things about the Cardinals break in:
1. My guess is that Mr. Correa doesn’t see any jail time. Or at least any significant time, anyway.
2. I’d like to have access to Mr. Correa’s off shore bank accounts, as I believe the Cardinal upper management paid him a hefty fee to take the fall all by himself.

Yehoshua Friedman
8 years ago

I wonder if pro sports teams are a little more naive or clumsy in data protection than the general business community because of locker-room camaraderie. Or perhaps because of the influence that sports metaphors have in the general business community, it makes no difference. Research or even anecdotal evidence, anyone?