Astros-Cardinals Data Break-in a Wake-Up Call for Sports
So there was a multimillion-dollar corporation that set up an elaborate big data system to house proprietary information. The guy in charge of the system left to join a competitor, where he (and others he brought with him) set up a similar system. His ex-colleagues were afraid the guy had stolen some of their corporate secrets, so they took a list of old passwords and tried using them to log into his new system. They succeeded because someone had used the same passwords at the new company. They were ultimately caught when the second company called the FBI to investigate after seeing some of its data posted online.
That, in short, is the recent story of the St. Louis Cardinals and the Houston Astros—what Michael Schmidt of the New York Times writes “would represent the first known case of corporate espionage in which a professional sports team hacked the network of another team.”
Big data? In baseball? Who knew?
For those of you for whom baseball is still pine tar and chewing tobacco, big data in baseball has been a thing ever since 2002. That’s when Billy Beane used it to turn the Oakland As into a contending team on a shoestring budget (for context, in 2003 the As budget was around $40 million, while the Yankees was $120 million).
Michael Lewis brought the story to the forefront in his best-selling book, Moneyball, which became a hit movie in 2011 starring Brad Pitt. Following Lewis’ book, everybody in baseball started using big data in the hope of mimicking the As’ success. And with the increasing amount of data in baseball—95 percent of it has been accumulated in the past five years—one team has reportedly even bought a Cray supercomputer to do number-crunching in real time.
Jeff Luhnow, formerly vice president for baseball development with the Cardinals and now general manager of the Astros, was a management consultant at McKinsey who joined the Cardinals in 2003, Schmidt writes. “One of many innovative thinkers drawn to the sport by the statistics-based Moneyball phenomenon, he was credited with building baseball’s best minor league system, and with drafting several players who would become linchpins of that 2011 World Series winning Cardinals team.”
While Luhnow was with the Cardinals, the team built a computer network, called Redbird, to house all of its baseball operations information—including scouting reports and player information, Schmidt writes.
In December, 2011, Luhnow left the Cardinals to join the Astros as general manager, where he used similar tactics. The team created a program similar to Redbird, known as Ground Control, that contained the Astros’ “collective baseball knowledge” and weighted a series of variables to help improve the team.
But in 2013, “their internal deliberations about statistics and players were compromised,” Schmidt writes. The break-in was discovered when some Astros trading information was posted online, and the FBI was called in to investigate.
So while the Cardinals and Astros may have known a lot about big data, they apparently didn’t know a lot about security. Having a written list of passwords? Using the same passwords in a different company? Not using two-factor authentication? Not discovering the hack for a year, after the information was posted online?
One wonders whether the Cardinals—and McKinsey, for that matter—changed their passwords after the departure of Luhnow—who, incidentally, said it was untrue that poor password practices contributed to the hacking and that he knew better. (It’s speculated that other Cardinal staffers who joined him at the Astros might be the culprit.)
Either way, Schmidt notes that security weaknesses aren’t limited to the Cardinals and Astros (and ESPN agrees). “While paying players exorbitant salaries, teams maintain small budgets for their front offices, often leading to the hiring of analysts and programmers right out of college,” he writes. One of the things that’s fallen by the wayside is security, with one team executive telling Schmidt he hasn’t changed his password for three years.
And reportedly the Cardinals aren’t very good at breaking into systems, either. Law enforcement officials were able to find the source of the break-in—the home of some Cardinals officials in Jupiter, Fla., where the team does spring training.
“Good grief, what were they thinking—doing this on a computer in a Cardinals-leased residence?” fumes Bernie Miklasz in the St. Louis Post-Dispatch. “Doesn’t Starbucks have free wireless? Wasn’t there some 12-year-old kid in the Jupiter neighborhood they could have called for hacking advice?”
So far, the Cardinals’ scouting director Chris Correa—another numbers wonk, with a bachelor of science in cognitive science and a master of science in psychology—has been fired. Reportedly, he believed that the Astros had stolen proprietary data from the Cardinals and broke into the system, using a Cardinals password, to check. But he claimed he didn’t post any information online, meaning there’s at least one other person out there. In fact, some reports say the Cardinals broke into the Astros’ system at least three times.
Exactly how this is all going to end up is hard to say. Legal charges are a possibility. Various other punishments, including fines and bans, are also possible. Whatever the outcome, the scandal is prompting other teams, such as the Texas Rangers, to look at their security.
That’s a good idea, because experts say the sports world is a “natural target” for cyberattacks. Jason Bonk, a partner in the defense and internal investigations team at law firm Cozen O’Connor, told the Wall Street Journal that it’s the responsibility of all leagues and organizations to ensure their private data are secure.
“This requires proactivity, diligence, internal investigation and possibly revising and creating new policies on which employees are trained,” Bonk says. “The retail and financial services industries have more than proved that to be true in the last few years, and the sports world must appreciate the opportunity to take action before another entire industry is shaken up for all the wrong reasons. This is more of a risk than doping, spying or any other sexy sports story in recent years ever was.”
Meanwhile, when you change jobs, use different passwords. Please.
