Robert June 25, 2015 7:22 AM

A former employee of St. Louis had a player database. When he left to work for the Astros he took the database with him. Problem is he never changed the credentials. His former co worker, still a Cardinals employee, used the old credentials to ‘hack’ the Astros database.

Not a complicated hack, just poor security practices. It will be interesting to see how big of an example the court system and Major League Baseball will make out of the Cardinals over this.

Eric June 25, 2015 8:43 AM

Robert, the re-use of passwords explanation has been contested by the Astros GM, so at this point it’s he said-he said regarding how they gained access.
(Of course, I wouldn’t want to admit to that kind of negligence if it were me.) It does seem likely that familiarity with the system was probably the biggest factor in their achieving access, rather than advanced technology skills.

Bruce, what would you consider an “official operation” in the context of a sports franchise? One initiated or authorized by the GM, President, or owner?

Jayson June 25, 2015 9:03 AM

Mr. Luhnow was asked at the time whether the breach would affect how he dealt with other teams. “Today I used a pencil and paper in all my conversations,” he said.

Low tech. Not a bad solution.

Legitimator June 25, 2015 2:47 PM

@bruce @eric

The era of plausible deniability, outsourcing, secrecy, and nonaccountability is one where “official operation” no longer has much meaning.

Tim June 26, 2015 3:29 PM

@Robert – If the Cardinals owned the database is it hacking? I can’t think of any corporation where a database is created for the corporation and it is ok to take it with you.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.