By now you’ve probably heard the sexy story of one major league baseball team hacking another in a perhaps the most famous case of corporate espionage to date. It’s the most famous because it involves the Houston Astros and the St. Louis Cardinals, but it’s really a trivial case in terms of impact. Corporations hack each other all the time.
This case was special because the “hacker” was so incredibly clumsy that he got caught. But now that more details about the crime have been made public, the case is more than sexy. It’s a fantastic lesson for security professional and regular ol’ employees alike.
To refresh your memory, Christopher Correa, 35, worked in the scouting department for the Cardinals when all this happened — he started in 2009, and was named head of the department in 2013. The Cardinals were known as an early adopter of data-driven player management. A Cardinal employee was lured away by the Astros in 2011, and that team quickly made a remarkable turnaround from cellar dweller to playoff contender.
The Cardinals-to-Astros employee also created a beach-head for Correa to hack the rival Astros.
Court documents don’t identify the lured employee, naming him only “Employee A.” I’ll do the same.
When Employee A left the Astros in December 2011, Correa demanded his Cardinals laptop and password. This isn’t uncommon, but it shouldn’t be necessary.
Lesson 1: The IT department has administrative passwords to access employee technology assets at all times, doesn’t it? And everyone is trained in the incredibly sensitive nature of this God-like power, right? Asking workers for passwords is dicey, and in some cases, it might not be legal. It shouldn’t be necessary.
Soon after, Correa gets the idea to do some snooping on the Astros’ database, called Ground Control. It contains incredibly sensitive business intelligence, such as critiques of every draft eligible player and notes on potential trades. According to the plea agreement released on Friday, Correa went on a fishing expedition, and by March 2013 had figured out what Employee A’s new Astros password was. While “obscure,” the feds say, the new password was similar to his old Cardinals password.
Lesson 2: Everybody uses “password families” that are different but related. Don’t do that when you change companies. Especially when you were forced to give the password to your former boss. If your password was ILovedMyRedBike@Age5, then don’t make it ILovedMyBlueBike@Age10. Someone like Correa will figure that out.
Lesson 3: Meanwhile, as a company, when you hire someone, basic training should include, “Don’t even THINK about re-using any of your security credentials from your prior employer.”
Correa kept on fishing, and enjoyed a particularly good catch on July 31, 2013, when he was able to poke around the Astros trade notes on trade deadline day.
Lesson 4: There’s plenty of security software tools that can tell IT managers connections are coming in from strange places, and data is flowing out of servers when it shouldn’t be. It seems the Astros weren’t watching who accessed Ground Control very carefully. That’s a surprise.
That winter, the Houston team got wind that something was amiss when a local paper disclosed the existence of Ground Control. It was available on a password-protected but publicly accessible website named groundcontrol.astros.com.
Lesson 5: If your company’s most critical intelligence is available at a public URL, you are just asking people to try to hack in.
Anyway, now assuming that a someone might be breaking in, the Astros acted fast and forced every employee to change their password. That’s good, except the change was announced in a company-wide email. And guess what? Correa had access to Employee A’s email, also. So he got the new default password, and used it to hack into Ground Control through another Astros’ employee account.
Lesson 6: Forcing password changes during a crisis is a fine idea, but sending out a default password in an email isn’t a great idea, particularly if you have a sense that your systems might already be compromised. When one system has been hacked, it’s a good bet others have, too.
That day, March 10, 2014, Correa must have feared his access could be cut off at any time, and he went to town. He downloaded 118 pages of Astros data on potential trades, players and draft targets. The guilty plea (which you can read here) mentions that Correa was able to log in until at least March 27.
Lesson 7: When you have a security incident requiring a massive password reset…it must be required.
To recap: a full 17 days after a security incident that forced a company-wide password reset, an outsider was able to log in using a default password that was emailed to employees.
Lesson 8: !!!!
Correa, a promising young baseball executive, was fired in July. He pled guilty to five counts of unauthorized access and will almost certainly do serious jail time. During his guilty plea, he claimed he was worried that Astros officials were accessing Cardinals data.
Lesson 9: Being comfortable with your own firm’s security practices is a much better idea than “hacking back” if you suspect espionage. You don’t want to become an example for federal prosecutors in a high-profile case.
Lesson 10: “Hacking” is a crime. Using someone else’s password to log into their computer is a crime, even if it’s an ex-employee, or an ex-girlfriend, or whatever.
I have this one slice of sympathy for Correa, who obviously seemed to have no idea that it would be easy to prove his electronic trespassing once professionals got involved. After all, there is no mention anywhere of him trying to hide his tracks.
Baseball is a funny industry for an espionage case. The sport is full of secret stealing. Pitchers and catchers use coded signs to communicate, and base runners routinely try to steal them. Dugout players try to steal signs from base coaches. Teams sometimes sign rivals’ former players to help with sign stealing. There are plenty of persistent rumors that teams use electronic aids in their home stadiums to get an advantage. (Like this rumor about the slugging Toronto Blue Jays.) Playing along the edge of the rules is not only allowed, but practically celebrated. Plenty of “cheaters” are in the Hall of Fame. Within that culture, was Correa merely extending this tradition of secret stealing into the digital age? And was he really the only one involved? At the moment, he was the only one caught, it would seem.
Don’t miss a post! My email list is free