What Baseball Hacking Can Teach Us about Association Cybersecurity
This is not your normal Aptify Blog post—because we're talking about sports news!
This is the story of the Cardinals Hacking Scandal.
Big Data & Baseball
Like so many other businesses, Major League Baseball (MLB) clubs now manage their operations through software. If you read Michael Lewis' book Moneyball (or saw its movie adaptation written by Aaron Sorkin and starring Brad Pitt), you know that big data and crunching the numbers have supplanted anecdotes and hunches in the notoriously hunch-driven game of baseball. In many ways, MLB clubs were the popularizers of big data analytics to the masses.
As the New York Times described when the scandal first broke in June 2015:
[Jeff] Luhnow was part of the wave of “Moneyball”-style executives who revolutionized baseball front offices at the start of the century.
A Penn and Northwestern graduate who had worked in consulting, he joined the Cardinals in 2003 despite having no baseball experience. After facing some initial skepticism, he started hitting home runs. He oversaw the team’s draft beginning in 2005 and showed an uncanny knack for finding talent…
But in December 2011 he left the Cards for a promotion to general manager of the Astros, at that time a division rival and the worst team in baseball. Luhnow took along Sig Mejdal, a former NASA engineer; his title is director for decision sciences. Mejdal applied work he had done at NASA on astronauts’ decision making to improve the team’s drafting.
Luhnow and Mejdal built Ground Control, a proprietary software for the Astros to track players for drafts, trades, and free agency. The system crunched all the numbers and provided a secure digital location for Astros staff to discuss their next moves.
Not So "Secure" Conversations
But in June 2014 those "secure" conversations appeared online at Deadspin, embarrassing the Astros both for their IT security and what was said among staff. Whatever strategy the Astros had was also in the open to all their competitors as well.
The Astros appealed to MLB for help and MLB quietly referred the matter to the FBI. One year later, in June 2015, the New York Times broke a story that the FBI had raided the Cardinals offices in St. Louis. The details started to drop. By infiltrating some of the base servers used in the masking network Tor, the FBI had been able to identify the intruder in the Astros' Ground Control back to Chris Correa, an analyst for the Cardinals. Correa had “hacked” into the accounts of three Astros employees on Ground Control for almost two years, routinely looked at all their data, listened to their conversations, and then leaked the info to Deadspin.
Another year later, in June 2016, a federal judge sentenced Correa to 46 months in prison with an almost $300,000 fine. Then, earlier this year in 2017, MLB levied its maximum penalty against the entire Cardinals organization—giving their top two draft picks to the Astros and making St. Louis pay $2 million to Houston.
So what's the tech takeaway here? Was Astros IT incompetent, or did St. Louis somehow have a scouting analyst with masterful coding skills? Neither.
The Same Dumb Mistake…Made 3 Times
Astros IT did the right things. They built secure software and monitored the login for brute force attacks. They kept an activity log of all users behavior inside Ground Control. They changed both the login URL and all user passwords after positive media attention made Ground Control a software buzzword in Texas.
Responsibility for enabling the hack appears to lie with three people: Luhnow, Mejdal, and someone else who came from the Cardinals to the Astros. This hack was a password behavior problem.
Not one, not two, but apparently all three reused the same or only slightly variant passwords for their Astros email as they had used at the Cardinals. Correa accessed their email and then their Ground Control accounts by looking up their passwords in the Cardinals system and then guessing those passwords at Astros login screens. By spreading his activity across three legitimate accounts inside Ground Control he decreased the chances Astros IT would flag anything as unusual. When Ground Control logins were updated he had the emailed info to login again.
People increasingly talk about creating secure passwords. Aptify has our own guide to creating high-entropy passwords that ups your association cybersecurity game.
But the other side of the coin is educating your staff to understand even the best password can be compromised. Staff need to know their password to your association's most important data on members is compromised the minute a staffer reuses that password for a new login to music streaming or to pay a monthly utility bill. Certainly, they should not reuse old passwords for their login to your email, your membership software, or your business intelligence.
Don't let your association become the next Astros. It would be embarrassing. More importantly, it would compromise your mission and erode your brand's trust.
Check out our Resources section for all our association cybersecurity assets. For a good start on how to keep your association secure, I suggest the Overhauling Password Behavior at Your Association eBook.
About Tony Cavicchi
As the Inbound Marketing Manager at Aptify, Tony delivers content aligned to answer organizations’ needs and show how an Aptify AMS will help them better achieve their missions. He knows many challenges faced by the association market firsthand after running digital marketing for three years at HSLDA, an Aptify client. Tony was a political science major, so he’s still a bit of a nerd and follows election news around the world like sports championships.