The New York Times has reported that a Texas federal judge sentenced former St. Louis Cardinals Director of Baseball Development, Christopher Correa, to 46 months in prison after pleading guilty to five counts of unauthorized access of a protected computer. The sentence includes two years of supervised release and a restitution payment of $279,038. Correa remains out on bond until he reports to prison in the next two to six weeks.

Under 18 U.S.C.A. § 1030, a person found guilty of unauthorized access of a protected computer could face up to five years in prison for each count. Correa’s sentence is significant in that the punishment stretched beyond restitution to the victims, and the prison time is substantial. Cyber crime is no longer considered merely a nuisance; rather, it is prosecuted robustly at the federal level. This case sets the precedent for further cases of “cyber espionage,” and provides an understanding in the legal community as to how these types of cases may be viewed by the court.

During his plea, Correa admitted to hacking into “Ground Control,” the scouting database used by the Houston Astros. He told the court that he accessed the e-mail of an Astros’ employee who formerly worked for the Cardinals. Correa was able to access the e-mail because this employee used a similar password to the one he used when he worked for the Cardinals. Correa admitted to the court that he “guessed” the password, granting him access. Through the e-mail, Correa was able to gain access to two other Astros’ employee accounts, and see information in the Ground Control database. The information Correa accessed was given an estimated value of $1.7 million by the U.S. Attorney’s office.

This breach demonstrates that cyber security is no longer a luxury, it can happen as simply as a password being stolen, resulting in $1.7 million in damages to an entity. Even if an organization does not grant internet access to its employees, confidential corporate information can be breached simply by using an e-mail address.

Further, this situation is another example of a cyber incident committed by a person that does not fit the classic hacker stereotype. The common misconception of a hacker is a tech-savvy person, using cutting edge equipment to steal valuable information. This misconception is dangerous to the extent that it allows smaller targets to dismiss cyber security as being necessary for only larger, high-value targets. This situation, involving an unsophisticated tactic with a very industry-specific target, is a great reminder that significant damage can be done by those with inside access.

The post Cardinals’ Exec’s Prison Sentence Sets Stage for Future “Cyber Espionage” Cases appeared first on Privacy Risk Report.

On June 16, 2015, the New York Times reported on what is being referred to as “the first known case of corporate espionage” involving hacking and cybersecurity. The article states that the FBI and Justice Department are investigating allegations that front-office personnel for the St. Louis Cardinals hacked the Houston Astros’ computer network to access information related to players, trades, statistics and scouting reports. While the employees under investigation have not been identified, officials are gathering evidence that “the hacking was executed by vengeful front office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager,” who had previously been with the Cardinals. Other sources indicate the hack may have been used to embarrass the Astros rather than steal confidential information.

The Astros contacted the FBI when confidential information stored on their networks was posted online last year. Investigators found information indicating the origin of the hack was the home of Cardinal’s personnel.

The Data

Luhnow used statistics to provide insight on player development and training. This statistical method being used in baseball has been referred to as “Moneyball.” While at St. Louis, Luhnow developed a software program called “Redbird” to store information concerning St. Louis’ operations. He created a similar program for the Astros called “Ground Control” which stored the Astros’ “collective baseball knowledge.” Beyond merely storing the data, the program also “took a series of variables and weighted them ‘according to the values determined by the team’s statisticians, physicist, doctors, scouts and coaches.”

The Intrusion

It appears the cyber attack/theft was unsophisticated and carried out by guessing the passwords for the Astros’ network. Investigators are looking into allegations that Cardinals personnel, concerned the Astros may have used the program developed for the Cardinals, used passwords used by Luhnow while at St. Louis to gain access to the Astros’ network.  There are reports that this information was taken with the intention of embarrassing the Astros and Luhnow.

Hacks Used For Corporate Espionage

Based on the allegations against the Cardinals, corporate espionage is now added to the list of cyber security concerns. Further, hacks by competitors may cause more damage to the extent it may take longer to discover the hack. The large data breaches at Target or the federal government required people stealing information and selling it to other criminals that would use the information. Of course, a number of red flags are raised when hackers need to find buyers for the information they have taken. It is alleged that the Cardinals took the information for their own use and the breach was not discovered until the Astros saw their confidential information posted online. The information had value for the Cardinals without buyers and there is a chance the Astros would not have known about the hack if the information did not end up on the internet.

The post Major League Breach: Baseball Provides First “Cyber Espionage” Case appeared first on Privacy Risk Report.