Generally speaking, officials and experts say, the tools to hack someone else’s network are readily available online. “By itself, it doesn’t represent anything illegal,” the official said. But once a person intrudes into another person’s computer system without permission, “you’ve crossed the magical line,” the official said. Accessing someone’s computer without authorization is a federal crime under the Computer Fraud and Abuse Act.
This is the first suspected case of corporate espionage in which a professional sports team has allegedly hacked the network of another team, according to the New York Times, which first reported the investigation.
Officials told the Times that they have uncovered evidence that Cardinals officials hacked the Astros’ database, known as Ground Control, and obtained information and internal discussions about trades, proprietary statistics and scouting reports. The names of the officials under investigation were not revealed. The Cardinals, who have the best record in baseball this season and are one of the sport’s most successful teams since the turn of this century, said in a statement that they have “fully cooperated with the investigation and will continue to do so. Given that this is an ongoing federal investigation, it is not appropriate for us to comment further.”
Major League Baseball said in a statement that it “has fully cooperated with the federal investigation,” adding “Once the investigative process has been completed by federal law enforcement officials, we will evaluate the next steps and will make decisions promptly.”
How serious is a cybersecurity breach in a sport with a rich history of stolen signs, illegal pitches and corked bats? An executive with another team, who asked to remain anonymous because of the ongoing investigation, told The Post that such a breach would be taken extremely seriously.
“There’s so much proprietary analysis, and the teams that do this sort of thing each have their own magic, secret formula for how they evaluate players, people, systems – all kinds of things,” the executive said. “For another team to have that, for whatever their purposes, is an unbelievable advantage for the other team.”
A former executive who also asked for anonymity told the Post: “It’s like the Coke formula. You don’t want Pepsi to have it.”
Such information, multiple current and former executives said, could be used in a wide range of ways – to know what players a franchise valued in trades; to learn different scouting methods; to raise a flag about players they hadn’t scouted and might want to get someone to see.
“If you’re running an organization and a scouting department, and you’ve got mixed reports on Player X, and you have access to the Astros’ system, you might say, ‘I wonder what they think of the guy,’ ” one source said. “And they’re spending millions to have that be protected. You’re the only team that’s supposed to have it.”
In trade discussions, access to this kind of information could provide a window into an organization’s thinking.
“If you know what the Astros are doing every minute, then you can be the behind-the-scenes guy to either help a deal get done by becoming a third team, or you could head them off and get something done yourself,” another current executive said. “You might find out certain guys were available from the Astros that you thought were untouchable. You might find out what kinds of players Houston is offering and what kind of players the Tigers, say, are rejecting, and you might be able to find a match for yourself to get something done with the Tigers.”
Security surrounding Ground Control was the subject of a Deadspin report last summer that lauded all that it could do while revealing that it was deficient in the password department. Barry Petchesky wrote that it was, “by all accounts a marvel, an easy-to-use interface giving executives instant access to player statistics, video, and communications with other front offices around baseball.” From Deadspin:
Documents purportedly taken from Ground Control and showing 10 months’ worth of the Astros’ internal trade chatter have been posted online at Anonbin, a site where users can anonymously share hacked or leaked information. …[T]hey contain the Astros front office’s communications regarding trade overtures to and from other teams, as well as negotiations—a few of which actually led to trades. You will find heavy efforts to get a big haul for Bud Norris at last year’s trade deadline (before settling for very little), pushes to acquire touted young talents like Dylan Bundy and Gregory Polanco, and even evidence the Astros rejected out of hand a blockbuster deal that could have brought them Giancarlo Stanton.
Not long after that breach and the Deadspin report, the Astros acknowledged a security problem and Deadspin reported that the FBI was on the case.
The Astros said in a statement at that time to Deadspin:
“Last month, we were made aware that proprietary information held on Astros’ servers and in Astros’ applications had been illegally obtained. Upon learning of the security breach, we immediately notified MLB security who, in turn, notified the FBI. Since that time, we have been working closely with MLB security and the FBI to the[sic] determine the party, or parties, responsible. This information was illegally obtained and published, and we intend to prosecute those involved to the fullest extent.“It is unfortunate and extremely disappointing that an outside source has illegally obtained confidential information. While it does appear that some of the content released was based on trade conversations, a portion of the material was embellished or completely fabricated.”
The Cardinals and Astros played in the same division of the National League from 1994 to 2012, and the Astros, now in the American League, now lead the West Division by 2 1/2 games. Jeff Luhnow, a former executive handling scouting and player development in St. Louis, was described by the Times’ Michael S. Schmidt as “one of many innovative thinkers drawn to the sport by the ‘Moneyball’ phenomenon,” and Schmidt notes that “he was credited with building baseball’s best minor league system, as well as drafting several players who would become linchpins of the Cardinals’ 2011 World Series-winning team.”
Luhnow was named Astros general manager in December 2011 and began a dramatic technological overhaul of the organization, building a database to outperform “Redbird,” which he’d built in St. Louis. The overhaul was so extensive that the Times notes that Bloomberg Business called it “a project unlike anything baseball has seen before.” Luhnow, who ran tech companies before getting into baseball, joined the Astros and put together a 25-page plan detailing how the database, dubbed “Ground Control,” would be built from scratch and tailored to the team’s needs.
How does Ground Control work? The Houston Chronicle revealed what it could in March 2014:
Not everyone can see everything in Ground Control. Scouts see only what they need, and so on and so forth.But risk never disappears entirely, and Luhnow said his openness even for this story was a risk.“Information goes from club to club,” Luhnow said. “We need to be aware of that. But, also, information gets dated pretty quickly. … Our strategy, starting from [owner] Jim [Crane] down, is we want to be transparent enough to our fans to where they feel like they’re involved but at the same time not give away any proprietary information.”
Sounds secure, but there was a flaw. According to the Times report, investigators believe Cardinals officials gained access by looking over a master list of passwords used by Luhnow and others who went to the Astros during their time in St. Louis. Major League Baseball notified the FBI when it became concerned that the network had been the victim of a rogue hacker, according to the Times, and agents discovered that the network had been entered from a computer at a home occupied by some Cardinals officials. They were seeking to “wreak havoc,” according to the Times, on Luhnow’s work.
They’ve wreaked havoc, all right.
Washington Post staff writer Ellen Nakashima contributed to this report.