Establishing Digital Trust: Don't Sacrifice Security for Convenience
Investigators told the Times they have uncovered evidence that Cardinals officials breached Astros databases containing information on trades, proprietary statistics and scouting information. They believe the attack may have been launched to cause problems for Astros general manager Jeff Luhnow, who left the Cardinals in 2011.
According to investigators, the Cardinals officials were concerned that Luhnow may have taken the teams' proprietary information to the Astros, and simply tried a series of passwords previously used by Luhnow when he worked for the Cardinals until they were able to gain access to the Astros' network.
Major League Baseball and the Cardinals have been served with subpoenas seeking electronic correspondence in connection with the investigation.
Major League Baseball said in a statement that it "has been aware of and has fully cooperated with the federal investigation into the illegal breach of the Astros' baseball operations database."
Similarly, the Cardinals said in a statement, "The St. Louis Cardinals are aware of the investigation into the security breach of the Houston Astros' database. The team has fully cooperated with the investigation and will continue to do so. Given that this is an ongoing federal investigation, it is not appropriate for us to comment further."
Tripwire senior security analyst Ken Westin told eSecurity Planet by email that the breach demonstrates that hacking isn't always about stealing credit cards or even personally identifiable information (PII). "We have increasingly seen this behavior in business where hackers steal and sell information to competitors or investors to give them an edge," he said.
"A baseball team hacking another team is a logical extension of this type of attack, as it is in the end a business as well with high financial stakes," Westin added. "By accessing information on players, their goal is to give themselves a competitive edge."
In a similar case in 2013, Manchester City Football Club's Scout7 system, which held detailed reports on scouted players, was illegally accessed, possibly by a rival football club.
A Premier League chief scout told Mirror Online at the time, "When it comes to compiling reports on players there is a whole different level of information that goes into a dossier on a player and many clubs around Europe use the same system. ... Having someone else -- especially a rival -- access that information and see which players you are looking at, which players you may buy and which ones are being monitored over a defined period would be seen as catastrophic."
A recent eSecurity Planet article offered advice on improving database security.