A lesson in cyber-security from baseball and the St. Louis Cardinals
Growing up rooting for and revering the Cardinals is something that is natural in St. Louis, just like loving Imos and Ted Drewes. Cheating and scandals are not something found in St. Louis, they are found in New England and other places, but not St. Louis. Busch Stadium is a place of reverence that emits honor and integrity on the field and off – until today that is. After reading about the scandal in the NY Times this morning, I transited the stages of grief quickly – shock, then outrage, then anger and embarrassment, but then to logic and the idea that there is a teachable moment here.
First – the logic.
As an attorney, the first thing to consider is that these are accusations, not convictions – just because St. Louis’s beloved Cardinals are being investigated does not mean they did this. Even if someone within the Cardinals organization did this, there is also the chance that they were a disgruntled employee, or something else entirely – again, these are accusations, not guilt. While some of the evidence I read certainly seems damning, it is also circumstantial, and since no one can see the FBI’s case or other information, speculating about guilt or innocence here is dangerous. Also, from what little information I’ve read, if the Cardinals are responsible for the hack, it appears that someone from the front office found a password list after the now Houston GM left the Cardinals and gained access to the Astros’ system. I’m not defending the Cardinals front office here if they are found guilty, but sometimes when you find the keys to Pandora’s box it is too tempting not to open it.
After thinking about this, and while this is unethical – probably illegal – and of course deplorable, how does this information help or hurt the Astros? The Cardinals and the Astros are in separate leagues, they are not in direct competition with each other. This information wasn’t eavesdropping on private team practices or altering equipment to cheat to win a game. After some brief reflection on baseball as an industry, cheating is common – steroid use until recently was prevalent, and still continues. Additionally, this year players have been caught, ejected and suspended for cheating in a game. This information probably did not change the outcome of a single game or give players a distinct advantage in any game this year – because we have not played the Astros – yet – and here is the problem, what about the post season, what about trades the Cardinals contemplated with Houston, Houston’s farm teams, or other teams that Houston had “inside information” on?
The data contained the “Astro’s collective baseball knowledge”, and this includes information on the current players, scouting reports, trade conversations and the like. The Astros could have information on other team’s players – players that the Cardinals might be interested in acquiring – and now can use information that these other parties don’t want the Cardinals to have against them. This exposed details to whoever held it that would allow them to make decisions on what players to acquire – or who not to acquire that they shouldn’t have had. This hack gives the trespasser volumes of information on their market and competition that they simply shouldn’t have.
The last thing to consider is that whoever accessed the Astros’ information did so illegally, and whether that was used to help the Cardinals is not necessarily relevant – they also publicly leaked the Astros’ private information online last year. While the intentionally leaking of this information is a tactic that indicates someone that was mad at the Cardinals, or their previous GM, it is just as speculative to say that the Cardinals are involved in this directly – at this point. This public leakage of information itself was very damaging, and while I hope the Cardinals really had nothing to do with this – that it is the actions of a past, disgruntled employee or something similar, I don’t have a whole lot of hope for this outcome.
Second – the teachable moment.
From the preliminary reports, it appears that the “hack” wasn’t really a hack, but appears to have happened when someone found a master list of passwords used by the Cardinals previous GM – who is now the Astros’ GM. After using this master password list, it appears someone tried these passwords on the Astros’ system – and they got in, apparently since the GM used the same password with the Cardinals AND the Astros.
There are multiple types of hacks, but one of the most common hacks is called “insider misuse”. Insiders in a company frequently misuse their credentials, and in this case, it appears that the GM used a password while with the Cardinals and then used the same password while with his new employer. This type of breach accounts for 10.8% (the 4th highest category) of breaches according to Verizon’s 2015 Data Breach Investigations Report, and this poses a serious problem for business owners.
If you think about it, your employees are a major line of defense in the realm of data theft and breaches. Once you remove an employee – or hire an employee – if they have the same passwords for the old and new systems, then their information is at risk – and so is your company’s. If that employee’s passwords are used for your systems, and the new employer gets them – again, your information is at risk.
The teachable moment here is that passwords should be changed frequently, and your company should have a policy – and a discussion with employees – about using and changing their passwords frequently, and of course to make sure they never use a password that is similar to a password they used with another employer. A better solution is to assign a random password for your employees, but we all know that employees balk at this and will frequently lock themselves out of their software adding more IT costs and lost productivity. Another method (and this is something I believe in) is to house sensitive information offline – which prevents this type of hack (but not a direct breach by another employee or an intruder). Remember, without having some type of policy or security in place, your information is at risk.