Off the Kuff Rotating Header Image

Chris Correa

More about the hack of the Astros

Fascinating stuff.

A federal judge has unsealed details about former St. Louis Cardinals executive Chris Correa’s hacking of the Astros’ email and player evaluation databases, clearing the way for Major League Baseball to impose sanctions against the Cardinals as soon as this week.

Three documents entered into court records but made public by U.S. District Judge Lynn Hughes on Thursday reveal new information regarding Correa’s intrusions, for which the former Cardinals scouting director is serving a 46-month sentence in federal prison after pleading guilty in January 2016 to five counts of unauthorized access to a protected computer.

[…]

According to the documents, portions of which remained redacted, Correa intruded into the Astros’ “Ground Control” database 48 times and accessed the accounts of five Astros employees. For 21/2 years, beginning in January 2012, Correa had unfettered access to the e-mail account of Sig Mejdal, the Astros’ director of decision sciences and a former Cardinals employee. Correa worked in St. Louis as an analyst under Mejdal, who came to Houston after the 2011 season with Astros general manager Jeff Luhnow, also a former Cardinals executive.

“(Correa) knew what projects the Astros’ analytics department was researching, what concepts were promising and what ideas to avoid,” said one of the documents, signed by Michael Chu, the assistant U.S. attorney who prosecuted the case against Correa. “He had access to everything that Sig Mejdal … read and wrote.”

Correa also attempted to gain access to the accounts of Bo Porter, the Astros’ manager in 2013-14, and pitching coach Brent Strom, and he used passwords belonging to Luhnow, Astros analyst Colin Wyers, and three Astros minor league players to gain access to the Astros system, the documents show.

A third document includes a subpoena from Correa’s attorney to obtain documents from the Astros, based on Correa’s statement that he was combing the files looking for information taken from the Cardinals. Hughes denied the request, which sought access to emails from Mejdal, Luhnow and former Astros assistant GM David Stearns and analyst Mike Fast regarding a variety of topics, including Cardinals minor league pitching coach Tim Leveque, Cardinals assistant general manager Mike Girsch and the Cardinals’ player information database, known as RedBirdDog.

See here and here for some background. The sanctions have since been imposed – the Cardinals will give their top two draft choices and two million bucks to the Astros as redress – but it’s the details of what Correa did that are so riveting. Deadspin, which was a key player in this as well, elaborates:

The sentencing document also points to a motive beyond the obviously useful scouting data: Correa was furious and envious of Mejdal’s acclaim in a June 25, 2014 Sports Illustrated cover story about the Astros’ embrace of analytics, with the cover predicting them as the winners of the 2017 World Series.

The account the feds lay out reads like a downright sinister revenge plot by Correa: On June 27, two days after the SI cover story, Correa attempted, unsuccessfully, to log into Mejdal’s, Luhnow’s, and Wyers’s Ground Control accounts. He then tried to log in via the accounts of Astros pitching coach Brent Strom and Astros manager Bo Porter. Thwarted but not deterred, he tried another tactic.

[…]

The same day, June 28, Deadspin was emailed a tip from a burner email service that linked “to a document on AnonBin, a now-dead service for anonymously uploading and hosting text files.” On June 30, Deadspin published the contents of the document, which detailed the Astros’ trade discussions between June 2013 and March 2014.

A year later, Deadspin deputy editor Barry Petchesky laid out the information we received, and why he believed we were the intended recipients. We had and have no additional information that indicates who the leaker was, and would not reveal the leaker’s identity if we knew it—as Petchesky later explained to an FBI investigator.

Regardless, the feds speculate that Correa himself emailed us the information.

Damn. I will watch the hell out of the eventual 30 for 30 documentary on this. The Press, Craig Calcaterra, and Jeff Sullivan, who thinks the Cardinals got off too lightly, have more.

Astros hacker sentenced to 46 months

Away he goes.

Former St. Louis Cardinals executive Christopher Correa was sentenced Monday to 46 months in prison for illegal incursions into the Astros’ computer database, wrapping up a case of sports-related cybercrime that a federal judge and prosecutors summed up as plain, old-fashioned theft.

Correa, 35, will report within two to six weeks to begin his sentence imposed by U.S. District Judge Lynn Hughes, who accepted the government’s recommended sentence in the wake of Correa’s guilty plea in January to five counts of illegal access to a protected computer.

Now the case moves into the hands of Major League Baseball, where commissioner Rob Manfred will decide if the Cardinals will face sanctions because of Correa’s actions in 2013 and 2014.

Manfred also may be asked to consider a heretofore undisclosed element: that Correa intruded into the Astros’ system 60 times on 35 days, far more the five reported cases to which he pleaded guilty, according to an Astros official.

[…]

U.S. Attorney Kenneth Magidson said he was pleased with length of the sentence. Correa could have been sentenced to a maximum of five years in prison on each count, although prosecutors agreed in return for his guilty plea that sentences would be served concurrently.

“This is a serious federal crime,” Magidson said. “It involves computer crime, cybercrime. We in the U.S. Attorney’s office look to all crimes that are being committed by computers to gain an unfair advantage. … This is a very serious offense, and obviously the court saw it as well.”

Astros general counsel Giles Kibbe, who also attended the hearing, described Monday as a “sad day for baseball” and emphasized that the Astros were the victims of Correa’s unauthorized access into a computer database that included scouting reports and other information.

Referring to Correa’s statements in January, he added, “I don’t know what Mr. Correa saw in our system or what he thinks he saw in our system, but what I can tell you is that the Astros were not using Cardinals’ proprietary information.”

Kibbe, for the first time, also acknowledged that Correa’s intrusions into the Astros computer system were more frequently than the instances set out in the information to which he pleaded guilty – 60 intrusions over 35 days, he said, from March 2013 through June 2014.

He also said the Astros would rely on Major League Baseball to complete its investigation of the Cardinals, with the possibility of sanctions against the team.

“We have full faith in his actions,” he said, referring to MLB commissioner Manfred.

See here for the background. Correa had previously claimed to have found Cardinal information on the Astros’ system while he was hacking around. There could be some effect from that if there’s anything to it when MLB wraps up its investigation and imposes any sanctions on the Cards. In the meantime, I’d say this will serve as a pretty strong deterrent to any other baseball front office folks who may have been tempted to take an unsanctioned peek at what their rivals are doing. No one can say they haven’t been warned at this point.

Astros-hacker pleads out

One chapter closes in of one of the stranger sagas I’ve seen in sports.

The former scouting director of the St. Louis Cardinals pleaded guilty in federal court Friday to hacking into the player database and email system of the Houston Astros in an unusual case of high-tech cheating involving two Major League Baseball clubs.

Chris Correa pleaded guilty to five counts of unauthorized access of a protected computer from 2013 to at least 2014, the same year he was promoted to director of baseball development in St. Louis. Correa, 35, was fired last summer and faces up to five years in prison on each charge when he is sentenced April 11.

“I accept responsibility in this case,” Correa told U.S. District Judge Lynn Hughes. “I trespassed repeatedly.”

“So you broke in their house?” Hughes asked Correa, referring to the Astros.

“It was stupid,” replied Correa, who is free on $20,000 bond.

U.S. Attorney Kenneth Magidson said the hacking cost the Astros about $1.7 million, taking into account how Correa used the Astros’ data to draft players.

“It has to do with the talent that was on the record that they were able to have access to, that they wouldn’t have otherwise had access to,” he told reporters. “They were watching what the Astros were doing.”

MLB could discipline the Cardinals, possibly with a fine or a loss of draft picks, but said only that it looked forward to getting details on the case from federal authorities. The Cardinals, whose chairman, Bill DeWitt Jr., had blamed the incident on “roguish behavior,” declined comment.

See here, here, and here for the background. Given that he pleaded out, I don’t expect Correa to get jail time, though perhaps a suspended sentence might be in the works. He’ll never work in baseball again, that’s for sure.

There’s still a lot more to this, however. As Craig Calcaterra notes, Correa claimed to have found Cards information on the Astros’ system when he was traipsing around in there.

That may not raise to a criminal level — there is no allegation Astros people hacked into the Cardinals’ system — but it could be relevant to Major League Baseball in a larger team-to-team information security matter. All of that depends on what Correa is saying he saw, which we do not know yet.

That aside, the level and the amount of information Correa got from the Astros is extraordinary. The defense some have offered — that he was merely checking to see if the Astros stole something — seems like a tiny part of this compared to what he accessed. And the argument I have heard from some people that, “hey, Correa was just walking in an unlocked door, so it’s not a big deal,” is not really true. He walked in, the Astros locked it, so then he broke into Jeff Luhnow’s office, as it were, and stole the keys so he could walk back in again. That is not just idle perusing. That is a concerted effort to carry out corporate espionage.

All of which is to say that this is far from over, especially from a baseball perspective. Correa performed his duties as Cardinals scouting director for over two years while in possession of extensive amounts of Astros’ confidential information. That benefitted him personally and, by extension, benefitted the Cardinals via the acts he took on their behalf with that information in his head. And that’s the case even if he was the sole person involved. If anyone else accessed Ground Control or was made privy to the information Correa obtained, it makes the Cardinals’ collective informational advantage all the greater.

Major League Baseball needs to find out what, if anything the Astros have of the Cardinals, as Correa claims. They need to learn — as they may still learn given that the investigation and the case is not over — what law enforcement knows about anyone else’s involvement. There is still a long way to go. However, based on what is known at the moment, the data breach here was extensive and extraordinary and the Cardinals will likely be facing some stiff, stiff penalties as a result. Maybe financial penalties. Maybe draft pick penalties. Maybe some combination.

Either way, this case is way bigger than people thought it to be yesterday.

We’ll see what MLB does once they have all the information that the prosecutors gathered. Hair Balls and the Chron have more.

Cardinals identify a fall guy

The latest Hacked-Stros news.

The St. Louis Cardinals have terminated the contract of their scouting director, Chris Correa, as investigations continue into alleged hacking of a Houston Astros database.

A Cardinals’ lawyer, James G. Martin, confirmed the move Thursday, saying Correa already had been on an “imposed leave of absence.” Martin declined to comment on the reason. And he would not say whether any employee has admitted hacking the Astros, citing ongoing investigations by the club, Major League Baseball and the FBI.

Correa declined to comment.

In a prepared statement, Correa’s lawyer, Nicholas Williams, wrote: “Mr. Correa denies any illegal conduct. The relevant inquiry should be what information did former St. Louis Cardinals employees steal from the St. Louis Cardinals organization prior to joining the Houston Astros, and who in the Houston Astros organization authorized, consented to, or benefited from that roguish behavior?”

Giles Kibbe, the attorney for the Astros, reaffirmed an earlier denial that neither the Houston organization nor any previous Cardinals employees now with the Astros had taken anything proprietary from the Cardinals.

Astros general manager Jeff Luhnow, who as head of the Cardinals’ analytics department had helped build the database used here to evaluate players, has said that everything he and others did in Houston was accomplished “from scratch.”

“We stand by all of our previous comments,” Kibbe said. “We’re looking forward to the conclusion of the FBI’s investigation. I stand by all that Jeff has said on this matter.”

Correa has admitted hacking into a Houston database but only to determine whether the Astros had stolen proprietary data, according to a source with knowledge of the investigation.

Correa did not leak any Astros data and is not responsible for additional hacks that the FBI has alleged occurred, said the source.

[…]

The source said that Correa’s involvement in the hacking began in 2013, in an attempt to determine whether Luhnow or any other former Cardinals employees took proprietary data to the Astros.

Correa’s suspicions were aroused in part by a résumé in which a job seeker claimed expertise that Correa believed could have come only from working with Cardinals data, the source said.

He used an old password from a former Cardinals employee working for the Astros to access the Houston database “a few” times but did not download data, the source said. The source claims Correa located some data on the website, but did not report it to his bosses because the information was outdated and unreliable without being redone.

The source said that others must have accessed Houston’s database if federal investigators’ claims about the number of hacking attempts are correct.

See here and here for the background. The counter-charges are interesting and I suppose could be a potential line of defense in the event this ever goes to a courtroom in some fashion. Whether it might mitigate any future punishment by MLB is another matter. The Chron story adds a bit more detail.

Giles Kibbe, the Astros’ general counsel, said in an e-mail, “We stand by all of our previous comments. We look forward to the FBI concluding their investigation.”

Major League Baseball, similarly, plans to await the conclusion of the FBI’s investigation, a person familiar with the league’s thinking said. A league spokesperson did not return a request for comment.

The FBI has not commented on details of its investigation but repeated a previously issued statement: “The FBI aggressively investigates all potential threats to public and private sector systems. Once our investigations are complete, we pursue all appropriate avenues to hold accountable those who pose a threat in cyberspace.”

[…]

Washington D.C.-based attorney Peter Toren, who handles cases involving intellectual property and commercial litigation, said that were a civil case to be filed, the Cardinals might be able to allege as a counterclaim against the Astros that Astros personnel improperly used information obtained in their time as employees for the Cardinals that could be classified as a trade secret.

Major League Baseball forbids clubs from suing each other, instead directing disputes to the commissioner as arbitrator. He can then award the Astros damages.

Luhnow and director of decision sciences Sig Mejdal worked with the Cardinals before joining the Astros, for whom they launched a database called “Ground Control.” The Cardinals had their own database, called “Red Bird Dog.”

“Ground Control” includes statistics, player evaluations and, at least up until last spring, logs of trade negotiations. Those logs were posted online and widely viewed at the website Deadspin last June, prompting an FBI investigation.

As first reported by The New York Times and confirmed by the Chronicle, the Cardinals had a master list of passwords, and at least one of the Astros’ departed executives did not alter his password well enough upon departure.

While Astros amateur scouting director Mike Elias also worked with the Cardinals in St. Louis and came over to the Astros with Luhnow, a person familiar with the investigation said Elias’ log-in credentials were not at issue. It’s unclear if the log-in information of both of Luhnow and Mejdal or just one of the two was in some way utilized in accessing Astros information.

Luhnow told Sports Illustrated he knows “about password hygiene and best practices” but did not directly address whether both he and his employees followed those practices to the necessary extent. Luhnow has turned down repeated requests for comment.

“I’m very aware of intellectual property and the agreements I signed,” Luhnow told Sports Illustrated. “I didn’t take anything, any proprietary information. Nor have we ever received any inquiries from anybody that even suggested that we had.”

Regarding the use of information obtained while working for another employer, Toren said, “That scenario is probably the most common type of trade secret case. One employee moves jobs and takes information with him to a new job for his use. The question then is: Is the employee generally allowed to take with him general knowledge?”

Toren said courts have ruled that employees can use general knowledge and skills gained on one job when they move to their next employer. However, he said lines can become blurry over “the type of information that really belongs to the employer that goes beyond … and really is specific knowledge.”

I still say having a master list of passwords is a terrible idea, whether Luhnow and the others who jumped from the Cards to the Stros practiced good password hygiene or not. I can’t wait to see the FBI report. Craig Calcaterra, who is not impressed by Correa’s attorney’s claims, has more.