Sentencing in Astro-Cardinals baseball hack offers lesson about passwords

Law punishing illegal computer access used in even seemingly minor transgressions

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Baseball has long celebrated cheating, but electronic cheating just sent a former team front-office worker to prison for nearly four years.

Former St. Louis Cardinals scouting director Chris Correa, who earlier pleaded guilty to using old passwords to access a former team’s scouting database, was sentenced to 46 months in prison Monday. Correa broke into the Houston Astros’ computer systems repeatedly, stealing data. He previously had worked for the Astros.

Correa has been dubbed a hacker by sports media, but he simply made educated guesses to break into his old team’s computer database, mainly to download scouting intelligence that might help the Cardinals gain insight into players the Astros wanted to draft or trade for.

The long sentence was tied to the economic loss “suffered” by the Astros … and here things get confusing. According to STLToday.com, federal prosecutors essentially calculated how much money the Astros spent developing the data in their player database.

Sentence tied to financial loss

Assistant U.S. Attorney Michael Chu, who handled the hearing, listed the formula used to arrive at $1.7 million.

“But since much of the data that we looked at focused on the 2013 draft, what we did was we took the number of players that he looked at by 200 and we divided that by the number of players who were eligible to be drafted that year, and we multiplied that times the scouting budget of the Astros that year. That comes to $1.7 million,” he said.

That kind of loss meant a sentence of 36-48 months, according to federal guidelines.

That kind of jail time sounds like a lot for what some might consider the equivalent of stealing a third-base coach’s signs—particularly when you hear about rapists getting six-month sentences—but it is not out of line with many computer criminal punishments.

There has long been debate about fairness in hacker sentencing, a debate that reached fever pitch after Aaron Swartz was charged for “hacking” research and received a 30-year sentence and ultimately committed suicide.

No ‘typical’ hacker

Again, Correa is no hacker. When I talked to Morey Haber, vice president of technology at BeyondTrust, he sharply defended the sentence.

“Yes, there is a certain amount of cheating that goes on (in sports), but that’s during the game,” he said. “This is corporate espionage. It’s no different from hacking a bank. It’s no different than if you went from Lockheed Martin to Northrop Grumman (and hacked into your old employer). It’s not acceptable and courts are sending a strong message.”

Whatever you feel about Correa’s sentence—and hanging questions about whether or not he could have been the only one who knew about all this—there are three really important lessons to learn from the Cardinals hack.

First, Correa actually told the judge during a hearing that he started breaking into the Astros computers because he was afraid they were doing the same thing to him. That may or may not be true. But “hacking back,” however tempting, is a crime. And it can steal several years from your life.

Make passwords more difficult

Second, using an old password to log into your old company—or slight variations of that—might seem like a fairly innocent thing to do. Maybe you forgot a contact phone number, or there’s a document you wrote that you’d like to see one more time. This kind of “hacking” can feel like no crime at all. It’s just a few keystrokes.

Doing that also can cost you years of your life.

Finally, to you Astros-like companies out there. Passwords can be easily guessed. And former employers who know the password tendencies of your current employees can guess them really easily. Look at this section of the court transcript that describes the “hack.”

“It was based on the name of a player who was scrawny and who would not have been thought of to succeed in the major leagues, but through effort and determination he succeeded anyway. So this user of the password just liked that name, so he just kept on using that name over the years. … Kind of like Magidson123… Or Magidson1/2,1/4,1/3.

Have a smarter authentication system than that. At least change the indicator once in a while. (That’s a baseball joke.)

More stories related to hacking and security:
Play ball: CISOs can learn a few things from Major League Baseball
Baseball hacking scandal points to need for password protocol
Hack of CIA director’s email provides a security lesson for all