The recent case of corporate cyber espionage between the St. Louis Cardinals and the Houston Astros is the first of its kind in Major League Baseball. The hacking scandal demonstrates that no organization or industry is impervious to cyber attacks and the loss of intellectual property (IP).
The history of professional sports is replete with examples of organizations spying on one another to gain a competitive edge, and baseball is no exception. From the 1951 Giants sign stealing allegations to the 2003 Yankees suspected bugging of a visitors’ clubhouse, spying on the competition is an assumed part of the game. But the recent attack against the Houston Astros signals that the nature of the threat is evolving.
An ongoing investigation by the FBI and the US Department of Justice has revealed that several Cardinals front-office officials hacked the Astros’ proprietary database beginning in 2013. The network is the organization’s tool for storing and accessing operational information, from scouting reports and trade strategy communication to in-depth analyses on players’ health and performance. For those seeking inside information on competitors’ strategies, the database makes for a highly valuable target.
Despite the potentially game-changing nature of the information that the Cardinals officials accessed, investigators note that competitive advantage was only a partial motivation for the attack. Rather, law enforcement officials are citing a personal row between members of the Cardinals front office and the Astros’ general manager as the primary motivation.
The methods the alleged perpetrators used to access the Astros’ database were similarly uncomplicated. Cardinals officials discovered a list of passwords that the Astros’ general manager had used in his former role as an executive with the Cardinals. Then, they systematically attempted to access the Astros’ database until one of the passwords worked. Much of the accessed information was anonymously leaked in 2014.
This case is instructive for a number of reasons. First, it demonstrates that motivations for attacks on information systems are not always clear-cut. While competitive advantage is a compelling interest, individuals, organizations, and even nation-states can resort to corporate espionage simply for the sake of embarrassing their targets. Second, it highlights the importance of proper information security practices. Storing multiple passwords in a common document and reusing passwords for multiple applications are simple mistakes that give hackers the upper hand. Incorporating two-factor authentication is a straightforward technique that may have kept unauthorized users out of the Astros’ proprietary systems.
As the incentives to cheat continue to grow along with the sophistication of surveillance and hacking methods, sports organizations can protect themselves by taking preventive action against potential threats. Examining office spaces, meeting rooms, and telecommunications lines using technical surveillance countermeasures (TSCM) can help keep would-be eavesdroppers at bay. Consistently assessing networks and information systems for vulnerabilities is also integral to maintaining a strong cybersecurity posture. If professional sports organizations do not take steps to secure their sensitive proprietary information, they will risk losing their competitive edge.