St. Louis Cardinals Scout Admits to Hacking Houston Astros

Chris Correa, former scouting director for US baseball team St. Louis Cardinals, has pleaded guilty to five counts of computer hacking, bringing to a close nine innings of cyber-idiocy.

As part of his plea agreement, Correa admitted that from March 2013 through at least March 2014, he illicitly accessed a “closely guarded” special databases of trades, proprietary statistics and scouting reports owned by the Houston Astros, and/or e-mail accounts of others in that organization. In total, the damage to the Astros is thought to be assessed at around $1.7 million.

It all started with former Cardinals GM Jeff Lunhow—a polarizing figure at the club. Under Lunhow, the Cardinals built a proprietary database, dubbed Redbird, for storing all sorts of important baseball operations data, including scouting reports and player information. He subsequently left to join the Astros, where he embarked on a similar project, charmingly called Ground Control.

But, the baseball club’s shiny new database was not exactly blasting off for the data protection stratosphere. Even though Ground Control contained the Astros’ “collective baseball knowledge,” it took Cards' personnel zero skill to break in. Correa simply examined a list of passwords Lunhow used while in Missouri and tried them out. Guess what? They worked.

No two-factor authentication. No complex, changing password requirements. Just a bit of luck.

The Astros eventually did get wise to the password issue—and instituted new passwords. But Correa was able to hack an email that had the URL and the new password list, and was back swinging for the fences in no time.

As we reported at the time, all nine innings of this saga are filled with security strike-outs, suffice it to say.

The information that Correa was able to access was wide-ranging to say the least—and potentially very damaging for Houston. For instance, he was able to access scout rankings of every player eligible for the draft.  He also viewed, among other things, an Astros weekly digest page which described the performance and injuries of prospects who the Astros were considering, and a regional scout’s estimates of prospects’ peak rise and the bonus he proposed be offered.  He also viewed the team’s scouting crosscheck page, which listed prospects who were seen by higher level scouts.  During the June 2013 amateur draft, Correa intruded into that account again and viewed information on players who had not yet been drafted as well as several players drafted by the Astros and other teams.

Correa, who started working for the Cardinals in 2009, was fired in July 2015 after he admitted to the snooping.

“We have secured an appropriate conviction in this case as a result of a very detailed, thorough and complete investigation,” said U.S. Attorney Magidson, in the DoJ announcement.  “Unauthorized computer intrusion is not to be taken lightly. Whether it’s preserving the sanctity of America’s pastime or protecting trade secrets, those that unlawfully gain proprietary information by accessing computers without authorization must be held accountable for their illegal actions.”

Each conviction of unauthorized access of a protected computer carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine.

Photo © Sari ONeal 

What’s Hot on Infosecurity Magazine?