Off the Kuff Rotating Header Image

Jeff Luhnow

Astros-hacker pleads out

One chapter closes in of one of the stranger sagas I’ve seen in sports.

The former scouting director of the St. Louis Cardinals pleaded guilty in federal court Friday to hacking into the player database and email system of the Houston Astros in an unusual case of high-tech cheating involving two Major League Baseball clubs.

Chris Correa pleaded guilty to five counts of unauthorized access of a protected computer from 2013 to at least 2014, the same year he was promoted to director of baseball development in St. Louis. Correa, 35, was fired last summer and faces up to five years in prison on each charge when he is sentenced April 11.

“I accept responsibility in this case,” Correa told U.S. District Judge Lynn Hughes. “I trespassed repeatedly.”

“So you broke in their house?” Hughes asked Correa, referring to the Astros.

“It was stupid,” replied Correa, who is free on $20,000 bond.

U.S. Attorney Kenneth Magidson said the hacking cost the Astros about $1.7 million, taking into account how Correa used the Astros’ data to draft players.

“It has to do with the talent that was on the record that they were able to have access to, that they wouldn’t have otherwise had access to,” he told reporters. “They were watching what the Astros were doing.”

MLB could discipline the Cardinals, possibly with a fine or a loss of draft picks, but said only that it looked forward to getting details on the case from federal authorities. The Cardinals, whose chairman, Bill DeWitt Jr., had blamed the incident on “roguish behavior,” declined comment.

See here, here, and here for the background. Given that he pleaded out, I don’t expect Correa to get jail time, though perhaps a suspended sentence might be in the works. He’ll never work in baseball again, that’s for sure.

There’s still a lot more to this, however. As Craig Calcaterra notes, Correa claimed to have found Cards information on the Astros’ system when he was traipsing around in there.

That may not raise to a criminal level — there is no allegation Astros people hacked into the Cardinals’ system — but it could be relevant to Major League Baseball in a larger team-to-team information security matter. All of that depends on what Correa is saying he saw, which we do not know yet.

That aside, the level and the amount of information Correa got from the Astros is extraordinary. The defense some have offered — that he was merely checking to see if the Astros stole something — seems like a tiny part of this compared to what he accessed. And the argument I have heard from some people that, “hey, Correa was just walking in an unlocked door, so it’s not a big deal,” is not really true. He walked in, the Astros locked it, so then he broke into Jeff Luhnow’s office, as it were, and stole the keys so he could walk back in again. That is not just idle perusing. That is a concerted effort to carry out corporate espionage.

All of which is to say that this is far from over, especially from a baseball perspective. Correa performed his duties as Cardinals scouting director for over two years while in possession of extensive amounts of Astros’ confidential information. That benefitted him personally and, by extension, benefitted the Cardinals via the acts he took on their behalf with that information in his head. And that’s the case even if he was the sole person involved. If anyone else accessed Ground Control or was made privy to the information Correa obtained, it makes the Cardinals’ collective informational advantage all the greater.

Major League Baseball needs to find out what, if anything the Astros have of the Cardinals, as Correa claims. They need to learn — as they may still learn given that the investigation and the case is not over — what law enforcement knows about anyone else’s involvement. There is still a long way to go. However, based on what is known at the moment, the data breach here was extensive and extraordinary and the Cardinals will likely be facing some stiff, stiff penalties as a result. Maybe financial penalties. Maybe draft pick penalties. Maybe some combination.

Either way, this case is way bigger than people thought it to be yesterday.

We’ll see what MLB does once they have all the information that the prosecutors gathered. Hair Balls and the Chron have more.

Cardinals identify a fall guy

The latest Hacked-Stros news.

The St. Louis Cardinals have terminated the contract of their scouting director, Chris Correa, as investigations continue into alleged hacking of a Houston Astros database.

A Cardinals’ lawyer, James G. Martin, confirmed the move Thursday, saying Correa already had been on an “imposed leave of absence.” Martin declined to comment on the reason. And he would not say whether any employee has admitted hacking the Astros, citing ongoing investigations by the club, Major League Baseball and the FBI.

Correa declined to comment.

In a prepared statement, Correa’s lawyer, Nicholas Williams, wrote: “Mr. Correa denies any illegal conduct. The relevant inquiry should be what information did former St. Louis Cardinals employees steal from the St. Louis Cardinals organization prior to joining the Houston Astros, and who in the Houston Astros organization authorized, consented to, or benefited from that roguish behavior?”

Giles Kibbe, the attorney for the Astros, reaffirmed an earlier denial that neither the Houston organization nor any previous Cardinals employees now with the Astros had taken anything proprietary from the Cardinals.

Astros general manager Jeff Luhnow, who as head of the Cardinals’ analytics department had helped build the database used here to evaluate players, has said that everything he and others did in Houston was accomplished “from scratch.”

“We stand by all of our previous comments,” Kibbe said. “We’re looking forward to the conclusion of the FBI’s investigation. I stand by all that Jeff has said on this matter.”

Correa has admitted hacking into a Houston database but only to determine whether the Astros had stolen proprietary data, according to a source with knowledge of the investigation.

Correa did not leak any Astros data and is not responsible for additional hacks that the FBI has alleged occurred, said the source.

[…]

The source said that Correa’s involvement in the hacking began in 2013, in an attempt to determine whether Luhnow or any other former Cardinals employees took proprietary data to the Astros.

Correa’s suspicions were aroused in part by a résumé in which a job seeker claimed expertise that Correa believed could have come only from working with Cardinals data, the source said.

He used an old password from a former Cardinals employee working for the Astros to access the Houston database “a few” times but did not download data, the source said. The source claims Correa located some data on the website, but did not report it to his bosses because the information was outdated and unreliable without being redone.

The source said that others must have accessed Houston’s database if federal investigators’ claims about the number of hacking attempts are correct.

See here and here for the background. The counter-charges are interesting and I suppose could be a potential line of defense in the event this ever goes to a courtroom in some fashion. Whether it might mitigate any future punishment by MLB is another matter. The Chron story adds a bit more detail.

Giles Kibbe, the Astros’ general counsel, said in an e-mail, “We stand by all of our previous comments. We look forward to the FBI concluding their investigation.”

Major League Baseball, similarly, plans to await the conclusion of the FBI’s investigation, a person familiar with the league’s thinking said. A league spokesperson did not return a request for comment.

The FBI has not commented on details of its investigation but repeated a previously issued statement: “The FBI aggressively investigates all potential threats to public and private sector systems. Once our investigations are complete, we pursue all appropriate avenues to hold accountable those who pose a threat in cyberspace.”

[…]

Washington D.C.-based attorney Peter Toren, who handles cases involving intellectual property and commercial litigation, said that were a civil case to be filed, the Cardinals might be able to allege as a counterclaim against the Astros that Astros personnel improperly used information obtained in their time as employees for the Cardinals that could be classified as a trade secret.

Major League Baseball forbids clubs from suing each other, instead directing disputes to the commissioner as arbitrator. He can then award the Astros damages.

Luhnow and director of decision sciences Sig Mejdal worked with the Cardinals before joining the Astros, for whom they launched a database called “Ground Control.” The Cardinals had their own database, called “Red Bird Dog.”

“Ground Control” includes statistics, player evaluations and, at least up until last spring, logs of trade negotiations. Those logs were posted online and widely viewed at the website Deadspin last June, prompting an FBI investigation.

As first reported by The New York Times and confirmed by the Chronicle, the Cardinals had a master list of passwords, and at least one of the Astros’ departed executives did not alter his password well enough upon departure.

While Astros amateur scouting director Mike Elias also worked with the Cardinals in St. Louis and came over to the Astros with Luhnow, a person familiar with the investigation said Elias’ log-in credentials were not at issue. It’s unclear if the log-in information of both of Luhnow and Mejdal or just one of the two was in some way utilized in accessing Astros information.

Luhnow told Sports Illustrated he knows “about password hygiene and best practices” but did not directly address whether both he and his employees followed those practices to the necessary extent. Luhnow has turned down repeated requests for comment.

“I’m very aware of intellectual property and the agreements I signed,” Luhnow told Sports Illustrated. “I didn’t take anything, any proprietary information. Nor have we ever received any inquiries from anybody that even suggested that we had.”

Regarding the use of information obtained while working for another employer, Toren said, “That scenario is probably the most common type of trade secret case. One employee moves jobs and takes information with him to a new job for his use. The question then is: Is the employee generally allowed to take with him general knowledge?”

Toren said courts have ruled that employees can use general knowledge and skills gained on one job when they move to their next employer. However, he said lines can become blurry over “the type of information that really belongs to the employer that goes beyond … and really is specific knowledge.”

I still say having a master list of passwords is a terrible idea, whether Luhnow and the others who jumped from the Cards to the Stros practiced good password hygiene or not. I can’t wait to see the FBI report. Craig Calcaterra, who is not impressed by Correa’s attorney’s claims, has more.

The Hacked-Stros

WTF?

The F.B.I. and Justice Department prosecutors are investigating whether front-office officials for the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, hacked into internal networks of a rival team to steal closely guarded information about player personnel.

Investigators have uncovered evidence that Cardinals officials broke into a network of the Houston Astros that housed special databases the team had built, according to law enforcement officials. Internal discussions about trades, proprietary statistics and scouting reports were compromised, the officials said.

The officials did not say which employees were the focus of the investigation or whether the team’s highest-ranking officials were aware of the hacking or authorized it. The investigation is being led by the F.B.I.’s Houston field office and has progressed to the point that subpoenas have been served on the Cardinals and Major League Baseball for electronic correspondence.

The attack represents the first known case of corporate espionage in which a professional sports team has hacked the network of another team. Illegal intrusions into companies’ networks have become commonplace, but it is generally conducted by hackers operating in foreign countries, like Russia and China, who steal large tranches of data or trade secrets for military equipment and electronics.

Major League Baseball “has been aware of and has fully cooperated with the federal investigation into the illegal breach of the Astros’ baseball operations database,” a spokesman for baseball’s commissioner, Rob Manfred, said in a written statement.

[…]

Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager who had been a successful and polarizing executive with the Cardinals until 2011.

[…]

The intrusion did not appear to be sophisticated, the law enforcement officials said. When Mr. Luhnow was with the Cardinals, the organization built a computer network, called Redbird, to house all of their baseball operations information — including scouting reports and player personnel information. After leaving to join the Astros, and bringing some front-office personnel with him from the Cardinals, Houston created a similar program known as Ground Control.

Ground Control contained the Astros’ “collective baseball knowledge,” according to a Bloomberg Business article published last year. The program took a series of variables and “weights them according to the values determined by the team’s statisticians, physicist, doctors, scouts and coaches,” the article said.

Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

Emphasis mine. Allow me to put my IT security hat on for a moment: There should never be a “master list of passwords”, because writing passwords down is poor security practice. Keep passwords in your head or in a password-keeper app. Two-factor authentication is a fine idea, too. And for goodness’ sake, don’t reuse old passwords, especially if you know that someone else knows what those old passwords are. The weakest link in any enterprise system is always an end user with bad security habits. Thus endeth the lesson. I can’t wait to see what Commissioner Manfred makes of this “Spygate” allegation. Hair Balls and ThinkProgress, from whom I got the embedded image, have more.

Somebody doesn’t like something about the Astros

I’m still not sure what we’re supposed to conclude from this long but mostly unsourced screed about how the Astros are running their team.

The Astros have become one of baseball’s most progressive franchises as they try to rebuild and avoid a fourth consecutive 100-loss season.

But general manager Jeff Luhnow’s radical approach to on-field changes and business decisions has created at least pockets of internal discontent and a potential reputation problem throughout baseball.

“They are definitely the outcast of major league baseball right now, and it’s kind of frustrating for everyone else to have to watch it,” said former Astros pitcher Bud Norris, now with Baltimore. “When you talk to agents, when you talk to other players and you talk amongst the league, yeah, there’s going to be some opinions about it, and they’re not always pretty.”

The criticism, through interviews with more than 20 players, coaches, agents and others, comes in two parts:

On the field, the Astros shift their defenders into unusual positions to counteract hitter tendencies more than any other team, including in the minor leagues. They schedule minor league starting pitchers on altered and fluctuating rotation schedules, what they call a “modified tandem” system, a development strategy unique in baseball.

Off the field, the Astros are said to handle contract negotiations and the timing of player promotions with a dehumanizing, analytics-based approach detected by some across their operation.

The central question is how much criticism should be inherent to their process and how much should signal trouble in a game where word of mouth spreads quickly?

“Ninety-five percent of what we do is very similar to what all of baseball does,” Luhnow said. “We’re being a little bit different for very good reasons in some areas that we think are important.

“It doesn’t affect our ability to make people happy at the big league level. It just doesn’t. It affects their ability to perform better and be more prepared. That’s at least our hypothesis, and what we believe. And to tie that together with (how we handle) contracts is ridiculous.”

As far as the shifting goes, we all know that the basic idea for this dates from the 1940s, right? Lots of teams are employing it heavily these days, due to a combination of much better data about where each individual batter tends to hit the baseball plus a crop of managers and GMs that are willing to do what the plain facts say they ought to do. As the widespread deployment of this tactic is still new there are sure to be adjustments and countermeasures taken along the way, but for now whatever griping there is about it – the story basically had none – is the usual reactionary BS that tends to dominate baseball conversations. This is why we can’t have a better Hall of Fame balloting process.

As far as the “tandem rotation” system in the minors goes, that’s another stathead pet rock that goes back at least 30 years. The basic idea behind it is to develop young arms while minimizing the risk of injury. For all the advances we’ve made in tracking and measuring what happens on the field, we still have no idea what causes some pitchers to thrive and others to blow out their arms. A team that can crack that enigma, or just show some tangible advantage over doing what everyone has always done, will reap a huge benefit. I have no idea if this particular idea will work, but it can’t hurt to try, and the minors is the place to do it since player development and not a team’s won-loss record is the primary goal.

It almost feels silly to even discuss these things because despite being prominently mentioned early in the story, the rest of it has nothing to do with them. I guess those things are proxies for the real gripe, about how the Astros evaluate players and handle contracts.

When players are first promoted to the majors, they need not be paid more than the standard minimum salary of $500,000. Once in the majors, a player’s service-time clock begins, which eventually will determine when he is eligible for salary arbitration (three years, or two-plus in some special cases) and free agency (six years) – both vehicles for bigger paydays.

The Astros have benefited from making contract offers to young players at low rates and holding back players in the minors for service-time reasons.

Last year, Jose Altuve, signed a guaranteed four-year, $12.5 million deal (the Astros can extend it to six years) that made him even more valuable than his statistics alone – players who are productive and inexpensive are the game’s most valuable commodity.

Top prospect George Springer, who was promoted to the Astros after the season started, will not be eligible for free agency until he is 30 after the team delayed his move to the majors. The Astros said service time wasn’t a factor in the move that could potentially save them millions.

The Astros saved themselves money. But the question is whether the team handles these matters in a way that fosters confidence, and how much they should care about that perception in a business worth half a billion dollars based on a core product of 25 players.

“Players are people, but the Astros view them purely as property that can be evaluated through a computer program or a rigid set of criteria,” one player agent said, echoing the comments of others. “They plug players into it to see what makes sense from a development or contractual perspective, and it does not engender a lot of goodwill in the player or agent community.

“They wield service time like a sword (in contract extension negotiations) and basically tell a player, ‘This is what you are worth to us, take it or leave it.’ ”

Extension offers for players who have little or no major league experience have grown in popularity in recent years as teams try to get them at a bargain price, and the Astros have made several such offers.

The premise is not what some agents said bothers them, but how the Astros approach dealings and appear to handle clients.

Springer had an offer last year that reportedly was worth about $7 million guaranteed with the potential to earn more. The Astros also have made third baseman Matt Dominguez an offer worth $14.5 million for five years, plus two options, and outfielder Robbie Grossman received at least one similar offer – $13.5 million for six years plus two options, a person familiar with the offers said.

None of the players accepted. Luhnow has a policy of commenting on contracts only if a deal is finalized.

None of this is unusual. Every team does it to some extent. Offering multi-year extensions to young players that might sign for huge amounts elsewhere once they become free agents is standard practice now, to the point that teams like the Yankees that have traditionally done business by signing such players have had to make adjustments because the free agent talent pool ain’t what it used to be. Generally speaking, teams make this kind of offer to their rising stars with a year or two left in their team-control years – it doesn’t make sense to do it much earlier than that. If the Astros are insulting or alienating the kind of players they’d like to retain at a competitive salary, they’ll find those players will choose instead to play out the string and sign with another team. It’s just too early to say whether they’re headed down that path or not.

What was really amazing about this story was just how few people were quoted in it. One unnamed Astro, one unnamed agent, and two former players – Jed Lowrie and Bud Norris. Lots of potential axes to grind in there, but no objective outsider/analyst perspective, other than one positive statement about the effect of the shift defense. I have no idea what we’re supposed to make of this. Sure, it’s easy to point at the on-field performance, but we all know they started from a point of having zero talent. They’re finally developing that talent now, and it would be nice if they could keep the players they grow. It’s fine to point out that their managerial style – talking contract negotiations here, not player positioning or pitcher rotations – might be a hindrance to that. There was so much smoke in this piece it’s hard for me to say if that’s a legitimate concern or a bunch of mindless nattering by the handful of malcontents that every organization has. If it’s the former, there will be plenty of visible evidence for it soon enough. I’m not going to worry about it until then. Chron columnist Randy Harvey, who sees things more or less as I do, and PDiddie, who sees it differently, have more.