Off the Kuff Rotating Header Image

Saint Louis Cardinals

More about the hack of the Astros

Fascinating stuff.

A federal judge has unsealed details about former St. Louis Cardinals executive Chris Correa’s hacking of the Astros’ email and player evaluation databases, clearing the way for Major League Baseball to impose sanctions against the Cardinals as soon as this week.

Three documents entered into court records but made public by U.S. District Judge Lynn Hughes on Thursday reveal new information regarding Correa’s intrusions, for which the former Cardinals scouting director is serving a 46-month sentence in federal prison after pleading guilty in January 2016 to five counts of unauthorized access to a protected computer.

[…]

According to the documents, portions of which remained redacted, Correa intruded into the Astros’ “Ground Control” database 48 times and accessed the accounts of five Astros employees. For 21/2 years, beginning in January 2012, Correa had unfettered access to the e-mail account of Sig Mejdal, the Astros’ director of decision sciences and a former Cardinals employee. Correa worked in St. Louis as an analyst under Mejdal, who came to Houston after the 2011 season with Astros general manager Jeff Luhnow, also a former Cardinals executive.

“(Correa) knew what projects the Astros’ analytics department was researching, what concepts were promising and what ideas to avoid,” said one of the documents, signed by Michael Chu, the assistant U.S. attorney who prosecuted the case against Correa. “He had access to everything that Sig Mejdal … read and wrote.”

Correa also attempted to gain access to the accounts of Bo Porter, the Astros’ manager in 2013-14, and pitching coach Brent Strom, and he used passwords belonging to Luhnow, Astros analyst Colin Wyers, and three Astros minor league players to gain access to the Astros system, the documents show.

A third document includes a subpoena from Correa’s attorney to obtain documents from the Astros, based on Correa’s statement that he was combing the files looking for information taken from the Cardinals. Hughes denied the request, which sought access to emails from Mejdal, Luhnow and former Astros assistant GM David Stearns and analyst Mike Fast regarding a variety of topics, including Cardinals minor league pitching coach Tim Leveque, Cardinals assistant general manager Mike Girsch and the Cardinals’ player information database, known as RedBirdDog.

See here and here for some background. The sanctions have since been imposed – the Cardinals will give their top two draft choices and two million bucks to the Astros as redress – but it’s the details of what Correa did that are so riveting. Deadspin, which was a key player in this as well, elaborates:

The sentencing document also points to a motive beyond the obviously useful scouting data: Correa was furious and envious of Mejdal’s acclaim in a June 25, 2014 Sports Illustrated cover story about the Astros’ embrace of analytics, with the cover predicting them as the winners of the 2017 World Series.

The account the feds lay out reads like a downright sinister revenge plot by Correa: On June 27, two days after the SI cover story, Correa attempted, unsuccessfully, to log into Mejdal’s, Luhnow’s, and Wyers’s Ground Control accounts. He then tried to log in via the accounts of Astros pitching coach Brent Strom and Astros manager Bo Porter. Thwarted but not deterred, he tried another tactic.

[…]

The same day, June 28, Deadspin was emailed a tip from a burner email service that linked “to a document on AnonBin, a now-dead service for anonymously uploading and hosting text files.” On June 30, Deadspin published the contents of the document, which detailed the Astros’ trade discussions between June 2013 and March 2014.

A year later, Deadspin deputy editor Barry Petchesky laid out the information we received, and why he believed we were the intended recipients. We had and have no additional information that indicates who the leaker was, and would not reveal the leaker’s identity if we knew it—as Petchesky later explained to an FBI investigator.

Regardless, the feds speculate that Correa himself emailed us the information.

Damn. I will watch the hell out of the eventual 30 for 30 documentary on this. The Press, Craig Calcaterra, and Jeff Sullivan, who thinks the Cardinals got off too lightly, have more.

Astros hacker sentenced to 46 months

Away he goes.

Former St. Louis Cardinals executive Christopher Correa was sentenced Monday to 46 months in prison for illegal incursions into the Astros’ computer database, wrapping up a case of sports-related cybercrime that a federal judge and prosecutors summed up as plain, old-fashioned theft.

Correa, 35, will report within two to six weeks to begin his sentence imposed by U.S. District Judge Lynn Hughes, who accepted the government’s recommended sentence in the wake of Correa’s guilty plea in January to five counts of illegal access to a protected computer.

Now the case moves into the hands of Major League Baseball, where commissioner Rob Manfred will decide if the Cardinals will face sanctions because of Correa’s actions in 2013 and 2014.

Manfred also may be asked to consider a heretofore undisclosed element: that Correa intruded into the Astros’ system 60 times on 35 days, far more the five reported cases to which he pleaded guilty, according to an Astros official.

[…]

U.S. Attorney Kenneth Magidson said he was pleased with length of the sentence. Correa could have been sentenced to a maximum of five years in prison on each count, although prosecutors agreed in return for his guilty plea that sentences would be served concurrently.

“This is a serious federal crime,” Magidson said. “It involves computer crime, cybercrime. We in the U.S. Attorney’s office look to all crimes that are being committed by computers to gain an unfair advantage. … This is a very serious offense, and obviously the court saw it as well.”

Astros general counsel Giles Kibbe, who also attended the hearing, described Monday as a “sad day for baseball” and emphasized that the Astros were the victims of Correa’s unauthorized access into a computer database that included scouting reports and other information.

Referring to Correa’s statements in January, he added, “I don’t know what Mr. Correa saw in our system or what he thinks he saw in our system, but what I can tell you is that the Astros were not using Cardinals’ proprietary information.”

Kibbe, for the first time, also acknowledged that Correa’s intrusions into the Astros computer system were more frequently than the instances set out in the information to which he pleaded guilty – 60 intrusions over 35 days, he said, from March 2013 through June 2014.

He also said the Astros would rely on Major League Baseball to complete its investigation of the Cardinals, with the possibility of sanctions against the team.

“We have full faith in his actions,” he said, referring to MLB commissioner Manfred.

See here for the background. Correa had previously claimed to have found Cardinal information on the Astros’ system while he was hacking around. There could be some effect from that if there’s anything to it when MLB wraps up its investigation and imposes any sanctions on the Cards. In the meantime, I’d say this will serve as a pretty strong deterrent to any other baseball front office folks who may have been tempted to take an unsanctioned peek at what their rivals are doing. No one can say they haven’t been warned at this point.

Astros-hacker pleads out

One chapter closes in of one of the stranger sagas I’ve seen in sports.

The former scouting director of the St. Louis Cardinals pleaded guilty in federal court Friday to hacking into the player database and email system of the Houston Astros in an unusual case of high-tech cheating involving two Major League Baseball clubs.

Chris Correa pleaded guilty to five counts of unauthorized access of a protected computer from 2013 to at least 2014, the same year he was promoted to director of baseball development in St. Louis. Correa, 35, was fired last summer and faces up to five years in prison on each charge when he is sentenced April 11.

“I accept responsibility in this case,” Correa told U.S. District Judge Lynn Hughes. “I trespassed repeatedly.”

“So you broke in their house?” Hughes asked Correa, referring to the Astros.

“It was stupid,” replied Correa, who is free on $20,000 bond.

U.S. Attorney Kenneth Magidson said the hacking cost the Astros about $1.7 million, taking into account how Correa used the Astros’ data to draft players.

“It has to do with the talent that was on the record that they were able to have access to, that they wouldn’t have otherwise had access to,” he told reporters. “They were watching what the Astros were doing.”

MLB could discipline the Cardinals, possibly with a fine or a loss of draft picks, but said only that it looked forward to getting details on the case from federal authorities. The Cardinals, whose chairman, Bill DeWitt Jr., had blamed the incident on “roguish behavior,” declined comment.

See here, here, and here for the background. Given that he pleaded out, I don’t expect Correa to get jail time, though perhaps a suspended sentence might be in the works. He’ll never work in baseball again, that’s for sure.

There’s still a lot more to this, however. As Craig Calcaterra notes, Correa claimed to have found Cards information on the Astros’ system when he was traipsing around in there.

That may not raise to a criminal level — there is no allegation Astros people hacked into the Cardinals’ system — but it could be relevant to Major League Baseball in a larger team-to-team information security matter. All of that depends on what Correa is saying he saw, which we do not know yet.

That aside, the level and the amount of information Correa got from the Astros is extraordinary. The defense some have offered — that he was merely checking to see if the Astros stole something — seems like a tiny part of this compared to what he accessed. And the argument I have heard from some people that, “hey, Correa was just walking in an unlocked door, so it’s not a big deal,” is not really true. He walked in, the Astros locked it, so then he broke into Jeff Luhnow’s office, as it were, and stole the keys so he could walk back in again. That is not just idle perusing. That is a concerted effort to carry out corporate espionage.

All of which is to say that this is far from over, especially from a baseball perspective. Correa performed his duties as Cardinals scouting director for over two years while in possession of extensive amounts of Astros’ confidential information. That benefitted him personally and, by extension, benefitted the Cardinals via the acts he took on their behalf with that information in his head. And that’s the case even if he was the sole person involved. If anyone else accessed Ground Control or was made privy to the information Correa obtained, it makes the Cardinals’ collective informational advantage all the greater.

Major League Baseball needs to find out what, if anything the Astros have of the Cardinals, as Correa claims. They need to learn — as they may still learn given that the investigation and the case is not over — what law enforcement knows about anyone else’s involvement. There is still a long way to go. However, based on what is known at the moment, the data breach here was extensive and extraordinary and the Cardinals will likely be facing some stiff, stiff penalties as a result. Maybe financial penalties. Maybe draft pick penalties. Maybe some combination.

Either way, this case is way bigger than people thought it to be yesterday.

We’ll see what MLB does once they have all the information that the prosecutors gathered. Hair Balls and the Chron have more.

Bad choice, Lance

Very disappointing.

HoustonUnites

Lance Berkman, former Houston Astros star and Texas native, has waded into the fight for LGBT protections, sharing his views in a new ad campaign this week. At the center of Berkman’s concern is Houston’s Equal Rights Ordinance (HERO), a nondiscrimination law similar to those on the books in cities across the country and the subject of an intense debate leading up to the November 3 vote.

Berkman is focused on the part of the law that applies to public accommodations like bathrooms; he echoes the anti-trans rhetoric used by HERO’s opponents as he urges Houston residents to vote against the measure, invoking his four daughters and his desire to protect them from “troubled men” going into women’s restrooms.

“Proposition 1, the bathroom ordinance, would allow troubled men to enter women’s public bathrooms, showers, and locker rooms. This would violate their privacy and put them in harm’s way,” he says in the ad, produced by Campaign for Houston.

In an accompanying video Berkman adds, “It’s crazy and it kinda makes me want to say… Wake up, America! That’s what I want to scream at people because I mean, what are we doing here? We have the potential for men going into a women’s bathroom. The very few people that this could even be slanted as discriminating against, is it worth putting the majority of the population at risk?”

[…]

Berkman told the St. Louis Post-Dispatch that his opposition to the measure was based on the one equal-access application that would allow trans people to use any bathroom they consider to be consistent with their gender identity. He tried to walk back the reference to “troubled men,” saying it was not in reference to transgender people: “That language refers to that scenario or a voyeur — somebody who goes into a women’s bathroom and just likes to look at people. That to me is troubled.”

The situation Berkman describes is virtually unheard of, however. According to the Advocate, “although hundreds of trans-inclusive nondiscrimination ordinances have been in force in cities around the country for several decades, there has never been a verifiable, reported instance of a trans person harassing a cisgender person, nor have there been any confirmed reports of male predators ‘pretending’ to be transgender to gain access to women’s spaces and commit crimes against them.”

See, that’s what happens when you make statements based on lies. You really look like an idiot when you get called on it. I have no idea where this idea that it’s okay to discriminate against some people, based on a fevered dream of something that might maybe someday happen, but I’m pretty sure that anyone who would say that is fully confident that he himself will never be part of any group that would ever be discriminated against. All I can say is that this attitude is exactly why we need anti-discrimination ordinances.

By the way, I don’t know if anyone has explained this to Lance Berkman, but the city Saint Louis (as well as Saint Louis County), where he played for two seasons and where he was just feted at a Cards game, has the same non-discrimination ordinance that Houston passed. Lots and lots of cities do. There’s a reason why the Houston Association of Realtors has endorsed HERO. It was good for Saint Louis, and it is good for Houston.

In the spirit of dispelling the kind of BS that Lance Berkman has unfortunately chosen to help spread, here’s the newest ad from Houston Unites:

I know that facts have limited capacity to persuade people whose minds are already made up, but they’re still the facts. Why would you trust anyone who would so shamelessly lie to you? OutSports has more.

Cardinals identify a fall guy

The latest Hacked-Stros news.

The St. Louis Cardinals have terminated the contract of their scouting director, Chris Correa, as investigations continue into alleged hacking of a Houston Astros database.

A Cardinals’ lawyer, James G. Martin, confirmed the move Thursday, saying Correa already had been on an “imposed leave of absence.” Martin declined to comment on the reason. And he would not say whether any employee has admitted hacking the Astros, citing ongoing investigations by the club, Major League Baseball and the FBI.

Correa declined to comment.

In a prepared statement, Correa’s lawyer, Nicholas Williams, wrote: “Mr. Correa denies any illegal conduct. The relevant inquiry should be what information did former St. Louis Cardinals employees steal from the St. Louis Cardinals organization prior to joining the Houston Astros, and who in the Houston Astros organization authorized, consented to, or benefited from that roguish behavior?”

Giles Kibbe, the attorney for the Astros, reaffirmed an earlier denial that neither the Houston organization nor any previous Cardinals employees now with the Astros had taken anything proprietary from the Cardinals.

Astros general manager Jeff Luhnow, who as head of the Cardinals’ analytics department had helped build the database used here to evaluate players, has said that everything he and others did in Houston was accomplished “from scratch.”

“We stand by all of our previous comments,” Kibbe said. “We’re looking forward to the conclusion of the FBI’s investigation. I stand by all that Jeff has said on this matter.”

Correa has admitted hacking into a Houston database but only to determine whether the Astros had stolen proprietary data, according to a source with knowledge of the investigation.

Correa did not leak any Astros data and is not responsible for additional hacks that the FBI has alleged occurred, said the source.

[…]

The source said that Correa’s involvement in the hacking began in 2013, in an attempt to determine whether Luhnow or any other former Cardinals employees took proprietary data to the Astros.

Correa’s suspicions were aroused in part by a résumé in which a job seeker claimed expertise that Correa believed could have come only from working with Cardinals data, the source said.

He used an old password from a former Cardinals employee working for the Astros to access the Houston database “a few” times but did not download data, the source said. The source claims Correa located some data on the website, but did not report it to his bosses because the information was outdated and unreliable without being redone.

The source said that others must have accessed Houston’s database if federal investigators’ claims about the number of hacking attempts are correct.

See here and here for the background. The counter-charges are interesting and I suppose could be a potential line of defense in the event this ever goes to a courtroom in some fashion. Whether it might mitigate any future punishment by MLB is another matter. The Chron story adds a bit more detail.

Giles Kibbe, the Astros’ general counsel, said in an e-mail, “We stand by all of our previous comments. We look forward to the FBI concluding their investigation.”

Major League Baseball, similarly, plans to await the conclusion of the FBI’s investigation, a person familiar with the league’s thinking said. A league spokesperson did not return a request for comment.

The FBI has not commented on details of its investigation but repeated a previously issued statement: “The FBI aggressively investigates all potential threats to public and private sector systems. Once our investigations are complete, we pursue all appropriate avenues to hold accountable those who pose a threat in cyberspace.”

[…]

Washington D.C.-based attorney Peter Toren, who handles cases involving intellectual property and commercial litigation, said that were a civil case to be filed, the Cardinals might be able to allege as a counterclaim against the Astros that Astros personnel improperly used information obtained in their time as employees for the Cardinals that could be classified as a trade secret.

Major League Baseball forbids clubs from suing each other, instead directing disputes to the commissioner as arbitrator. He can then award the Astros damages.

Luhnow and director of decision sciences Sig Mejdal worked with the Cardinals before joining the Astros, for whom they launched a database called “Ground Control.” The Cardinals had their own database, called “Red Bird Dog.”

“Ground Control” includes statistics, player evaluations and, at least up until last spring, logs of trade negotiations. Those logs were posted online and widely viewed at the website Deadspin last June, prompting an FBI investigation.

As first reported by The New York Times and confirmed by the Chronicle, the Cardinals had a master list of passwords, and at least one of the Astros’ departed executives did not alter his password well enough upon departure.

While Astros amateur scouting director Mike Elias also worked with the Cardinals in St. Louis and came over to the Astros with Luhnow, a person familiar with the investigation said Elias’ log-in credentials were not at issue. It’s unclear if the log-in information of both of Luhnow and Mejdal or just one of the two was in some way utilized in accessing Astros information.

Luhnow told Sports Illustrated he knows “about password hygiene and best practices” but did not directly address whether both he and his employees followed those practices to the necessary extent. Luhnow has turned down repeated requests for comment.

“I’m very aware of intellectual property and the agreements I signed,” Luhnow told Sports Illustrated. “I didn’t take anything, any proprietary information. Nor have we ever received any inquiries from anybody that even suggested that we had.”

Regarding the use of information obtained while working for another employer, Toren said, “That scenario is probably the most common type of trade secret case. One employee moves jobs and takes information with him to a new job for his use. The question then is: Is the employee generally allowed to take with him general knowledge?”

Toren said courts have ruled that employees can use general knowledge and skills gained on one job when they move to their next employer. However, he said lines can become blurry over “the type of information that really belongs to the employer that goes beyond … and really is specific knowledge.”

I still say having a master list of passwords is a terrible idea, whether Luhnow and the others who jumped from the Cards to the Stros practiced good password hygiene or not. I can’t wait to see the FBI report. Craig Calcaterra, who is not impressed by Correa’s attorney’s claims, has more.

“Roguish behavior”

The Saint Louis Cardinals admit they hacked the Astros’ proprietary database.

Thursday’s tacit admission by St. Louis Cardinals owner Bill DeWitt Jr. that someone in his organization was involved in hacking the Astros continued a saga that holds the potential for more tawdriness once the FBI has completed its investigation and all the details are released.

The Chronicle on Thursday learned that the Cardinals had unauthorized access to Astros information as early as 2012, a year earlier than was previously known. DeWitt, meanwhile, acknowledged for the first time that his organization played a role in accessing proprietary information belonging to the Astros, blaming “roguish behavior.”

Meeting with reporters in St. Louis on Thursday along with Cardinals general manager John Mozeliak, DeWitt said his organization’s own investigation was still ongoing. He did not specify which employees were responsible, but he told club workers “we’ve all been tainted.”

“Those responsible will be held accountable,” DeWitt said, “and we will continue what we feel is a great franchise.”

The extent of the Cardinals’ reach inside the Astros’ organization isn’t fully known. But it was not limited to one or two occasions, a person familiar with the details of the investigation said. The source asked for anonymity because of the sensitive nature of the case. The Chronicle has previously confirmed two breaches into the Astros’ system – one in 2013 and one in March 2014. The FBI began its investigation after the 2014 breach.

[…]

DeWitt expressed confusion over the intrusions, which he said were limited to a handful of people. The Chronicle learned this week the list of suspects was down to four or five.

“We’re committed to getting this resolved, we hope sooner rather than later,” DeWitt said. “We’re a little bit at the government’s pace. We’re not in a position of pushing them, as you might imagine.”

DeWitt said he was shocked to learn of the scandal.

“I still don’t know the reason for it,” he said of the hacking. “I can’t come up with a reason for it. It goes against everything we stand for. We don’t know who did what here.”

See here for the background. The story suggests that the Astros could have a claim for compensation for their data loss. Let’s see how the FBI investigation goes first, and what if any action Commissioner Rob Manfred takes. I suspect we’re a long way from any resolution just yet.

In the meantime, I love the use of the word “roguish” to describe the actions by whoever did this. It reminds me of a song.

I hereby declare that the official theme song of this scandal, for its use of the word “roguish”. Hair Balls has more.

The Hacked-Stros

WTF?

The F.B.I. and Justice Department prosecutors are investigating whether front-office officials for the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, hacked into internal networks of a rival team to steal closely guarded information about player personnel.

Investigators have uncovered evidence that Cardinals officials broke into a network of the Houston Astros that housed special databases the team had built, according to law enforcement officials. Internal discussions about trades, proprietary statistics and scouting reports were compromised, the officials said.

The officials did not say which employees were the focus of the investigation or whether the team’s highest-ranking officials were aware of the hacking or authorized it. The investigation is being led by the F.B.I.’s Houston field office and has progressed to the point that subpoenas have been served on the Cardinals and Major League Baseball for electronic correspondence.

The attack represents the first known case of corporate espionage in which a professional sports team has hacked the network of another team. Illegal intrusions into companies’ networks have become commonplace, but it is generally conducted by hackers operating in foreign countries, like Russia and China, who steal large tranches of data or trade secrets for military equipment and electronics.

Major League Baseball “has been aware of and has fully cooperated with the federal investigation into the illegal breach of the Astros’ baseball operations database,” a spokesman for baseball’s commissioner, Rob Manfred, said in a written statement.

[…]

Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager who had been a successful and polarizing executive with the Cardinals until 2011.

[…]

The intrusion did not appear to be sophisticated, the law enforcement officials said. When Mr. Luhnow was with the Cardinals, the organization built a computer network, called Redbird, to house all of their baseball operations information — including scouting reports and player personnel information. After leaving to join the Astros, and bringing some front-office personnel with him from the Cardinals, Houston created a similar program known as Ground Control.

Ground Control contained the Astros’ “collective baseball knowledge,” according to a Bloomberg Business article published last year. The program took a series of variables and “weights them according to the values determined by the team’s statisticians, physicist, doctors, scouts and coaches,” the article said.

Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

Emphasis mine. Allow me to put my IT security hat on for a moment: There should never be a “master list of passwords”, because writing passwords down is poor security practice. Keep passwords in your head or in a password-keeper app. Two-factor authentication is a fine idea, too. And for goodness’ sake, don’t reuse old passwords, especially if you know that someone else knows what those old passwords are. The weakest link in any enterprise system is always an end user with bad security habits. Thus endeth the lesson. I can’t wait to see what Commissioner Manfred makes of this “Spygate” allegation. Hair Balls and ThinkProgress, from whom I got the embedded image, have more.