The theft of Houston Astros data by a former St. Louis Cardinals scouting director was widely reported in the press earlier this year. An FBI investigation into the hacking and data theft resulted in Christopher Correa being charged with improperly accessing Houston Astros data.
Correa initially denied “any illegal conduct” however, in January this year, Correa came clean and pleaded guilty to five counts of unauthorized accessing of a protected computer. The offenses occurred over a period of years.
In June 2015, the FBI launched an investigation into the potential Houston Astros hacking incident and uncovered evidence that suggested an unauthorized individual had gained access to a proprietary database. The database was used by the Houston Astros to record player statistics, medical data, trades, and scouting reports. The trail of evidence led to officials at the St. Louis Cardinals; specifically, to Correa.
Correa was accused of downloading a spreadsheet containing a full list of scouting data for every player that was eligible for the 2013 draft. The spreadsheet contained detailed notes on players, including injuries and performance statistics. Data were accessed prior to important events such as the 2013 amateur draft.
After the discovery of the hacking incident in 2013, the Houston Astros implemented a number of new security protections to prevent further data access, although Correa was still able to bypass those controls and gain access to data. He was reported to have subsequently accessed the email system and viewed 118 pages of confidential data.
The losses suffered as a result of the theft of Astros data were reportedly in the region of $1.7 million. Correa was alleged to have viewed detailed trade discussions, potential bonuses, performance stats, and injury information, and used the data to draft players to the Cardinals.
The data were accessed using a password similar to that used by a former Cardinals employee who had given his laptop to Correa – including a password – before he joined the Astro’s staff.
Correa Sentenced to 46 Months for Theft of Houston Astros Data
This week, Correa was in court for sentencing. Before U.S. District Court Judge Lynn Hughes sentenced Correa he said he was “overwhelmed with remorse” and regretted his actions. Correa said he understood he had violated his values and “the whole episode represents the worst thing I’ve done in my life by far.” He went on to say “I behaved shamefully.”
Judge Hughes ordered Correa to spend 46 months in jail and a court order was issued requiring Correa to pay $279,038 in restitution for the theft of Houston Astros data. It is possible that the MLB will also take action against the St. Louis Cardinals for the theft of Houston Astros data, although it is unclear at this stage what that action will be. Potentially it could involve a fine or the Cardinals could be forced to lose draft picks. No decision will be taken until the MLB is supplied with detailed information about the Astros hacking investigation.
The St. Louis Cardinals hacking scandal shows that you don’t need to be a criminal mastermind or skilled hacker to gain access to sensitive data if bad passwords are used. The sharing of passwords, or use of very similar passwords across multiple platforms, is a recipe for disaster. When a password is changed, it is not sufficient to use a variation of the same password. Each new password must be totally unique.