Print

The New York Times has reported that a Texas federal judge sentenced former St. Louis Cardinals Director of Baseball Development, Christopher Correa, to 46 months in prison after pleading guilty to five counts of unauthorized access of a protected computer. The sentence includes two years of supervised release and a restitution payment of $279,038. Correa remains out on bond until he reports to prison in the next two to six weeks.

Under 18 U.S.C.A. § 1030, a person found guilty of unauthorized access of a protected computer could face up to five years in prison for each count. Correa’s sentence is significant in that the punishment stretched beyond restitution to the victims, and the prison time is substantial. Cyber crime is no longer considered merely a nuisance; rather, it is prosecuted robustly at the federal level. This case sets the precedent for further cases of “cyber espionage,” and provides an understanding in the legal community as to how these types of cases may be viewed by the court.

During his plea, Correa admitted to hacking into “Ground Control,” the scouting database used by the Houston Astros. He told the court that he accessed the e-mail of an Astros’ employee who formerly worked for the Cardinals. Correa was able to access the e-mail because this employee used a similar password to the one he used when he worked for the Cardinals. Correa admitted to the court that he “guessed” the password, granting him access. Through the e-mail, Correa was able to gain access to two other Astros’ employee accounts, and see information in the Ground Control database. The information Correa accessed was given an estimated value of $1.7 million by the U.S. Attorney’s office.

This breach demonstrates that cyber security is no longer a luxury, it can happen as simply as a password being stolen, resulting in $1.7 million in damages to an entity. Even if an organization does not grant internet access to its employees, confidential corporate information can be breached simply by using an e-mail address.

Further, this situation is another example of a cyber incident committed by a person that does not fit the classic hacker stereotype. The common misconception of a hacker is a tech-savvy person, using cutting edge equipment to steal valuable information. This misconception is dangerous to the extent that it allows smaller targets to dismiss cyber security as being necessary for only larger, high-value targets. This situation, involving an unsophisticated tactic with a very industry-specific target, is a great reminder that significant damage can be done by those with inside access.