The First Hacking in Sports History Hits the Houston Astros

The summer of 2014 marked the first known hacking in professional sports when the St. Louis Cardinals were accused of infiltrating the Houston Astros’ personal database. As a result of scant measures to protect the Astros’ information, the breach, unfortunately, required little effort by the perpetrator. Ever since general manager Billy Beane for the Oakland Athletics successfully brought sabermetrics (see below for definition) into Major League Baseball, many teams, not just in baseball, began to rely on stat-based information to analyze different players. One novel that accurately portrays sabermetrics in baseball is Moneyball: The Art of Winning an Unfair Game, which became an Oscar-nominated film. Moneyball unveils how in the past, large sums of money were squandered by MLB teams because of their subjective and outdated methods to analyze players.

However, sabermetrics allow scouts to objectively predict a prospect’s future as a ballplayer, providing an honest evaluation based on existing statistics; it is essential for the annual drafting process. Yet in 2013, the Houston Astros’ prospect info was stolen when Chris Correa of the St. Louis Cardinals hacked the Astros’ database, resulting in $1.7 million in damage. Correa stole the reports by applying similar password variations in correlation to the Astros’ GM, Jeff Luhnow. The GM previously served in the Cardinals’ scouting department, revealing his old password to the organization. He, unfortunately, neglected the duty of changing his leaked password, ultimately leading to the scandal.

Because the process of this hacking event was so simple and the punishment was relatively soft, cybersecurity specialists speculate that more of these hacks could occur in the future. Considering the damage, the Cardinals were quickly pardoned. They only lost two of their draft picks (56 and 75 overall) and were fined $2 million USD. This weak punishment may motivate hackers to sabotage sports organizations because they feel like the repercussions are negligible. One of the harshest punishments in baseball that garnered national attention was the suspension of Alex Rodriguez in 2014 for utilizing a prohibited Performance Enhancing Drug (PED). He was suspended for 211 games which still holds the record for the longest suspension in MLB history.

If harsh punishments like the A-rod suspension were instated after the Cardinals scandal, hackers may reconsider their actions in the future. Some even say that this event influenced the Astros sign-stealing violation during 2017-2019, also resulting in relatively weak punishments. Correa exposed the vulnerabilities of the MLB security system. However, we can avoid these simple mistakes by increasing our own security system so that a criminal like Correa cannot sneak into personal accounts.

This hacking event is a perfect example of poor password management that can be avoided by using different security systems. Cyber attacks are quickly evolving, and hackers become more dangerous every day. One way we can avoid the Cardinals’ hacking is to better secure and manage all of our passwords so that private information is protected. Millions of passwords used for securing accounts lack complexity and creativity, allowing hackers to access personal data. However, apps like Lastpass or Keepass can produce sophisticated passwords and store them in a secured area on your smartphone (TIP: remember to save a copy).

These password managers are efficient yet affordable and can carry a major effect on the future of cybersecurity. Another security system we can run is two-factor authentication. Once a hacker cracks the password, the entire account is infected. However, if we set up two-factor authentication (2FA) on our account, the hacker must decrypt the password and acquire an additional identification piece that can be challenging to crack. We can set up 2FA with a security key, the Microsoft Authenticator app, and an encrypted code sent to your iPhone to verify your identity.

I recommend setting up a Yubikey as the 2FA because it is a physical element that hackers cannot gain access to even after cracking your password. If the Astros set up two-factor authentication on their accounts, Correa would not have accessed the scouting reports even after he guessed the password. Once the password managers and 2FA are installed, the passwords created on your account should be changed periodically. Additionally, never use the same password for multiple accounts because once the hacker decrypts one password, all of your personal accounts will be infected.

Though the absence of password management may not seem like a major liability to your security system, the issue caused a major organization $1.7 million USD, and, over time, negligence can eventually lead to countless more irrecoverable consequences that will affect every computer.

Sabermetrics: The use of statistics-based analyses of in-game records that help evaluate and compare the performance of each individual player.

Sources: ESPN.com news services. “FBI Investigates Cardinals for Hacking into Astros' Database.” ESPN, ESPN Internet Ventures, 16 June 2015, www.espn.com/mlb/story/_/id/13089501/report-fbi-investigating-st-louis-cardinals-hacking-houston-astros-database. Crasnick, Jerry. “Hacking Scandal Fallout a Wake-up Call for Cardinals, MLB.” ESPN, ESPN Internet Ventures, 31 Jan. 2017, www.espn.com/mlb/story/_/id/18588682/hacking-scandal-fallout-wake-call-cardinals-mlb.