Baseball Hacking: Cardinals vs. Astros

I think this is the first case of one professional sports team hacking another. No idea if it was an official operation, or a couple of employees doing it on their own initiative.

Posted on June 25, 2015 at 6:14 AM • 5 Comments

Comments

RobertJune 25, 2015 7:22 AM

A former employee of St. Louis had a player database. When he left to work for the Astros he took the database with him. Problem is he never changed the credentials. His former co worker, still a Cardinals employee, used the old credentials to 'hack' the Astros database.

Not a complicated hack, just poor security practices. It will be interesting to see how big of an example the court system and Major League Baseball will make out of the Cardinals over this.

http://mobile.nytimes.com/2015/06/17/sports/baseball/st-louis-cardinals-hack-astros-fbi.html?smid%3D=tw-nytsports&_r=1&referrer=

EricJune 25, 2015 8:43 AM

Robert, the re-use of passwords explanation has been contested by the Astros GM, so at this point it's he said-he said regarding how they gained access.
(Of course, I wouldn't want to admit to that kind of negligence if it were me.) It does seem likely that familiarity with the system was probably the biggest factor in their achieving access, rather than advanced technology skills.

Bruce, what would you consider an "official operation" in the context of a sports franchise? One initiated or authorized by the GM, President, or owner?

JaysonJune 25, 2015 9:03 AM

Mr. Luhnow was asked at the time whether the breach would affect how he dealt with other teams. “Today I used a pencil and paper in all my conversations,” he said.

Low tech. Not a bad solution.

LegitimatorJune 25, 2015 2:47 PM

@bruce @eric

The era of plausible deniability, outsourcing, secrecy, and nonaccountability is one where "official operation" no longer has much meaning.

TimJune 26, 2015 3:29 PM

@Robert - If the Cardinals owned the database is it hacking? I can't think of any corporation where a database is created for the corporation and it is ok to take it with you.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.