If You Run a Sports Team, Change Your Goddamn Password

Everything about the Cardinals allegedly breaking into the Astros's database is completely nuts.

Jun 16 2015, 4:55pm

Image: Jolyon Hunter/Flickr

Among baseball's many time-honored traditions, stealing baserunning signs is considered to be one of the sketchier things you can do. There is not, however, any sort of precedent for stealing information from another team's front office.

Members of the St. Louis Cardinals's front office are under investigation by the FBI and Department of Justice for allegedly breaching the databases used by the Houston Astros to discuss statistics, trades, and scouting reports, according to the according to the New York Times.

Knowing how a rival team values both its own and rival teams' players is highly useful, confidential information. It informs how trade and free agent negotiations play out. The Astros are believed to have some of the best advanced statistics-keeping in all of Major League Baseball, which is information that is highly coveted by other teams. Ultimately, knowing such information can affect multimillion dollar decisions and have a huge effect on the overall quality of a team.

We already knew the Astros got hacked or otherwise had data compromised—a year ago, Deadspin posted 10 months worth of hacked internal trade talks. That a rival baseball team could be responsible for the breach never seemed even remotely plausible.

"It's a long way from deflating footballs"

Jeff Luhnow worked in the St. Louis Cardinals organization between 2003 and 2011—while there, he developed a proprietary advanced statistics-tracking database called "Redbird." Luhnow left the Cardinals to become General Manager of the Astros in 2011, where he created a similar database called "Ground Control."

"Major League Baseball has been aware of and has fully cooperated with the federal investigation into the illegal breach of the Astros' baseball operations database," MLB said in a statement emailed to Motherboard. "Once the investigative process has been completed by federal law enforcement officials, we will evaluate the next steps and will make decisions promptly."

FBI representatives told the New York Times that the breach is not believed to be sophisticated. Besides his database idea, Luhnow apparently also took his passwords with him, and Cardinals front office members allegedly used his old credentials to login to the new system. In that sense, it's not really a classic "hack" at all, but it's still an illegal breach of a competitor's computer network.

What the breach lacks in sophistication, it makes up for in sheer brashness. American companies are obviously no stranger to breaches perpetrated by foreign government hackers, hacktivism from groups like Anonymous and Lulzsec, and other infiltrations by hobby hackers and run-of-the-mill cybercriminals.

But to be compromised by a rival US company? A rival sports team? This is a totally new era of cybersecurity and perhaps a new era of sports altogether.

"It gives the technical debate in sports a whole new spin"

Sports teams have always looked to gain some sort of edge by any means necessary. The Toronto Blue Jays have famously been accused of stealing signs (and last offseason the team attempted to hire under-contract Baltimore Orioles general manager Dan Duquette, causing the Orioles to discuss filing tampering charges). The New England Patriots videotaped their opponents' signals in what became known as "Spygate." The Patriots famously deflated footballs to make it easier for Tom Brady to throw them. And that's just the team-level stuff, before you get into scuffed baseballs and steroids.

That teams are now trying to steal each others' digital information is completely nuts.

"It is really awesome. It gives the technical debate in sports a whole new spin," Peter W. Singer, a cybersecurity expert at the New America Foundation told me. "But actually, it's not all that surprising given it is a multibillion industry where small amounts of information can make a crucial difference in success or failure. Somewhere Bill Belichick is smiling in approval."

Singer isn't alone in thinking that sports teams are going to increasingly become hacking targets.

"It's a long way from deflating footballs," Adrian Sanabria, a security analyst at 451 research told me. "It goes to show that if you have data that's valuable, it WILL BE a hacking target. And clearly, especially post Moneyball, sports teams now have lots of valuable data."

Luhnow's Astros have been praised as being a forward-thinking organization. The team essentially tanked the past three seasons to stockpile a hoard of young, cheap players who look promising according to baseball's advanced sabermetrics statistics. This season, the upstart team is leading the American League West, and Luhnow looks like a genius.

In the future, then, even if sports teams don't employ hackers, they should certainly consider hiring some security experts to lock down their data. At the very least, they should tell their employees to change passwords when they switch teams.