Back in mid-June it was reported the St. Louis Cardinals were being investigated for hacking into the Houston Astros' computer database and accessing sensitive information. While the FBI and Justice Department prosecutors conducted their probe, HNGN spoke with Jason Eaddy, a digital forensics expert at Stroz Friedberg, to pinpoint the specifics and provide a more transparent understanding in order to help us avoid sifting through the legalese and technological parlance.
Last year federal investigators uncovered evidence suggesting employees of the Cardinals' organization breached Houston's "Ground Control" computer database in 2013 and 2014 and gained access to internal discussions about trades, proprietary statistics and scouting reports, according to The New York Times.
Cardinals ex-scouting director Chris Correa pleaded guilty to five counts of unauthorized access into the Astros' computer system in federal court on Friday. He was fired in July during a self-imposed leave of absence in the midst the federal investigation, which happened to be the first case of corporate espionage in the world of sports.
When a cyber incident of this nature occurs in any realm, that's where Eaddy comes in.
Stroz Friedberg is a "global leader in investigations, intelligence and risk management." The company's experts specialize in the fields of digital forensics, investigations, forensic accounting, incident response, security, compliance, data discovery, intelligence and due diligence. Before Stroz Friedberg acquired Elysium Digital, Eaddy oversaw Elysium's forensics and discovery division, which handled all projects that are based in computer forensics, intellectual property or electronic discovery.
"On the forensics and incident response side we will go in and conduct an investigation. Along these lines, we look at hacking incidents to figure out what actually occurred, who was involved, when the hack occured, what access did they have to the data that was breached, and what happened to the data after the breach," Eaddy told HNGN in an exclusive interview.
"The Astros, for instance, would hire a company like ours to perform an investigation based upon signs a breach occured. The investigation often results reaching out to the FBI or the filing of litigation in incidents of corporate espionage."
(Note: Eaddy and Stroz Friedberg/Elysium Digital were not involved in this case.)
The last update regarding the Cardinals/Astros case - before Correa pleaded guilty to charges on Friday - came in early July when CNN reported federal investigators have "recommended charges be brought against at least one St. Louis Cardinals employee implicated in the probe of an alleged computer intrusion of databases belonging to the Houston Astros."
At the time, the FBI reportedly had four to five people of interest in the case. However, at this point, Correa was the only one charged. His sentencing hearing is scheduled for April 11, so we'll again be waiting on the official outcome of the case.
"Each conviction of unauthorized access of a protected computer carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine. Correa will pay $275,000 in restitution as well," Reid Laymance of the Houston Chronicle reported on Friday. (Click that link to check out the court documents as well.)
Perhaps the average reader saw a headline about the hacking scandal back in June and didn't think much of it. "Oh, it's just baseball. No big deal." Or maybe others thought it was a bunch of analytics nerds battling for supremacy in front offices across MLB.
But it is a big deal. Stealing intellectual property is a crime. As you can see, when such sensitive and expensive information is compromised - regardless of domain or field - there's a hefty price to pay.
As we approach the conclusion of the Cardinals/Astros case, there are a number of questions to consider:
• How was Correa tracked down?
• Exactly how did he hack the Astros' computer database?
• What laws protect the Astros in this case?
• What are the consequences of such criminal digital activity?
• Is this any different from a similar case involving two entities outside of sports?
• Will the sports world witness an increase in such hacks given the fact almost all pertinent scouting/statistical information has gone digital in recent years?
Thanks to Eaddy, we were able to answer all of those questions thoroughly.
So how did the Cardinals gain access to the Ground Control database? The initial report of the incident noted Astros' current general manager - and former Cardinals' executive - Jeff Luhnow left behind a list of passwords he used while working for St. Louis. Luhnow also established the Cardinals' computer database "Redbird," which is the same type of system he now uses in Houston.
So what does this mean for the future security of sensitive information among MLB teams now that scouting has gone digital and analytics play an overwhelming role in today's game due to the battle between small market teams and big market teams?
"I think that just as systems are used more and more and teams become more reliant on these analytical databases, there will be an increase," Eaddy mentioned. "I don't think it's going to be some sort of marked increase simply because the chances of getting caught are so high. At some point, this whole thing steps outside of the sports world and brings in the real world reality of jail time, which is going to wind up being a major deterrent, even to someone looking to gain a competitive advantage."
Commissioner Rob Manfred has already been tasked with countless pressing issues in his first year in charge of MLB. Cyber security could become a topic of discussion once this case is closed.
In the end, Correa's actions will likely serve as baseline for future acts of cyber hacking and breaching in the MLB. As noted earlier, he faces up to five years of imprisonment and a maximum fine of $250,000 per count, as per his plea agreement. He'll pay $275,000 in restitution, and if he has to pay the additional $1,250,000 (fine for all five counts), that's a total of $1,525,000.
McHugh's 2015 salary was $516,700, just for some perspective.
But what is the overall price tag that will be placed on the glut of information Correa illegally accessed?
"That's going to require an expert to talk about that," Eaddy said. "How much time and money went into creating the database? How much effort went into gathering information? Someone will be able to talk about it and put a dollar figure on it. What's the value of it to an MLB organization?"
That was also determined on Friday.
"The value of the information that Correa gained unauthorized access has been set at $1.7 million," Laymance added. "Federal attorneys said they came to the $1.7 million figure based on the Astros' scouting budget and the number of players included in the database."
One can only wonder what the penalty might have been for Correa if he accessed sensitive information prior to the Astros' 2015 draft. The team selected Alex Bregman with the second overall pick ($7,420,100 signing bonus), Kyle Tucker with the fifth overall pick ($4,188,700) and Daz Cameron with the 37th overall pick ($4 million) - totaling $15.6 million.
With the value of players and advanced scouting/analytics skyrocketing by the day, the penalties for such future offenses are only going to become more severe. If we witness another case like this down the road, Correa's potential maximum fine of $1,525,000 might look like chump change.
