By David Barron and Evan Drellich
Sports espionage, once the province of those who stole signs and spied on practices, has moved into the realm of cyberspace as federal officials investigate whether St. Louis Cardinals employees illegally accessed the Astros’ “Ground Control” baseball operations computer database.
Officials with Major League Baseball and both teams acknowledged the investigation, which a person familiar with the probe said includes subpoenas issued to MLB and the Cardinals by the FBI and Justice Department. The New York Times first reported the investigation’s focus on the Cardinals.
There were at least two separate breaches of the Astros’ computer network, a source told the Houston Chronicle. The database includes statistics, player evaluations and, at least up until last spring, logs of trade negotiations. Those logs were posted online and widely viewed at Deadspin last June, prompting an FBI investigation.
However, Tuesday’s report by The Times was the first indication the cyberattack could have come from an Astros competitor and not a random hacker. One person briefed on the case told the Chronicle that four to five individuals within the Cardinals organization are a focus of investigators, and multiple sources said the FBI is expected to complete its investigation soon.
While computer hacking has long been a problem for business, industry and government, it’s relatively rare in sports. FBI officials consider the impact of the breach and the potential harm before getting involved with a hacking case, said Richard Garcia, a former agent in charge of the Houston FBI office.
“In this case, you’re dealing with America’s game,” Garcia said. “It could be pretty intense.”
The Times reported that investigators said they uncovered evidence that Cardinals officials wrongfully gained access into the Astros’ internal website in 2013. A second breach occurred in March of 2014, a source told the Chronicle.
“We have been cooperating with this federal investigation for quite some time,” said Astros general counsel Giles Kibbe. ”We cannot make any comment as the matter is still under investigation.”
Astros general manager Jeff Luhnow, director of decision sciences Sig Mejdal and scouting director Mike Elias used a similar network while working with the Cardinals before joining the Astros in 2012. As first reported by The Times and confirmed by the Chronicle, the Cardinals had a master list of passwords, and at least one of the Astros’ departed executives did not alter his password well enough.
One of the subpoenas sought to gain background information as to what IP addresses — the identifying online marker of one’s computer — were used to access certain websites, a person familiar with the situation said.
Coming at a time of increased discussion about ethical behavior in sports, from improperly deflated footballs in the NFL to possible payoffs in international soccer, Tuesday’s disclosures were viewed as another indication some figures in sports are becoming less than sportsmanlike in their attitude toward competitors.
“Sports have been corrupted — so much money and so much pressure,” said Don Beck, director of the National Values Center in Denton. “It’s industrial espionage, like when Coca-Cola would steal from Pepsi. … It’s a sad state of affairs in baseball. That’s America’s pastime. It goes across the grain of our ethical system.”
In Boston, MLB commissioner Rob Manfred said the case “is a federal investigation, not a baseball investigation.”
“There is an ongoing investigation with respect to an unauthorized entry into Houston’s system,” Manfred said. “To … assume that investigation is going to produce a particular result with respect to the Cardinals, let alone to jump to a word like cyberattack, we don’t know that those are the facts yet.”
Manfred said MLB has been “fully cooperative” with the investigation but that it is too early to speculate on its outcome.
The Cardinals acknowledged the investigation as well. “The team has fully cooperated with the investigation and will continue to do so,” the team said in a statement. “Given that this is an ongoing federal investigation, it is not appropriate for us to comment further.”
The FBI declined to confirm the probe or any specifics but did say: “The FBI aggressively investigates all potential threats to public and private sector systems. Once our investigations are complete, we pursue all appropriate avenues to hold accountable those who pose a threat in cyberspace.”
Sheryl Falk, a partner in the Houston office of the law firm Winston & Strawn who has handled cases involving digital evidence and computer forensics, said the hacking could constitute a violation of the 1986 federal Computer Fraud and Abuse Act, which makes it a criminal offense to access a computer without authorization or to exceed authorized access to obtain information from a computer that is used in or affects interstate commerce or communications.
Possible criminal penalties, she said, are a fine and/or imprisonment of up to five years if the offense was committed for commercial advantage or in furtherance of criminal activity or if the value of the information exceeded $5,000. A person suffering damages or loss through such violations also can sue for civil damages.
“This would be a clear case of corporate espionage,” Falk said. “You usually see this from nation/state actors.”
Given reports that previous passwords were used to gain access to the Astros’ system, Falk said the case highlights the importance of password management and the danger of “social engineering” to obtain unauthorized access to information.
“This is a hot-button issue. Protecting data is an FBI priority, so it’s not surprising they would come into this, especially with it being such a high-profile case,” she added.
Garcia, now a senior consultant for Delta Risk, the cybersecurity arm of the Chertoff Group founded by former Department of Homeland Security Secretary Michael Chertoff, noted that with cyberspace, crime investigators would attempt to track digital fingerprints to determine whether a computer obtained data from the Astros’ computer server. The Times reported that access to the Astros’ computer network was obtained by someone living at a house where Cardinals officials had lived.
For the FBI to issue subpoenas, he said, “They must have some pretty good evidence from their investigation.” From there, he said, the investigation will involve “getting to the person behind the keyboard and seeing who actually breaks down and confesses.”
While the Cardinals and Astros are now in separate leagues, they had a robust rivalry for years, highlighted by back-to-back meetings in the National League Championship Series in 2004 and 2005. St. Louis prevailed in 2004, but the Astros won in 2005 to make their first trip to the World Series.
Winners of 11 World Series championships, second only to the New York Yankees, the Cardinals for years have been one of the most admired franchises in baseball. Unlike the New England Patriots, perpetrators of the “Spygate” and “Deflategate” controversies in the NFL over the last decade, the Cardinals have been admired by baseball observers for innovation and tradition rather than deception, which only served to stimulate conversation regarding Tuesday’s disclosures.
The Astros, in fact, turned to the Cardinals organization when owner Jim Crane launched a top-to-bottom reboot after buying the team in 2011. One of his first moves was to hire Luhnow, a former management consultant who espoused data-driven methods after serving as St. Louis’ vice president of scouting and player development for five years.
Luhnow’s approach to the game on occasion brought him into conflict with more tradition-bound counterparts in St. Louis. That in turn has prompted speculation the hack could have been a form of retaliation by disgruntled former co-workers or payback for Luhnow’s taking what could be perceived by some to be too much credit for the continued success of the Cardinals.
People familiar with the situation doubted revenge as the sole motivation, noting the high value of information that could be learned and the risk involved.