By Brad Hubbard | @bradhubbard
Former St Louis Cardinals Scouting Director Chris Correa was finally sentenced today for his role in the 2014 hack of the Houston Astros. He faces 46 months behind bars and a fine of over $250k. It seems pretty harsh but it raises a bigger question which is how secure are sports organizations data?
I wrote about this issue last year when it came to light. I wanted to know two fundamental things; 1) how does a team go about protecting it’s data and 2) if data was taken did it truly provide a measurable competitive advantage? In this case the federal prosecutors claimed that it cost the Astros $1.7 million. Does $1.7 million equal 46 months in prison? I think that is very much up for debate.
Some may feel that the sentence is harsh but when you look at the amount of statistical data floating around in MLB, NBA, NFL, NHL, and MLS and how much teams have come to rely on that data to select and identify potential season ticket holders, then one could argue that this sentence provides a deterrent to other individuals from attempting a similar thing. It doesn’t provide a deterrent to outside actors.
The fact is that we as a society do not know the boundaries yet for cyber crime which is what Correa was convicted of. In this case it would appear to be a law enforcement issue as data was take from a database without the owners knowledge or approval and it involved US citizens. However what if this was similar to the Sony hack? How does that change the game? (Pun intended.) Is this then just a law enforcement issue?
Former Gen. Michael Hayden talked about some of this in presentation this past January (pick it up around the 15 minute mark and no you can’t see his slides). What if, and yes we are in hypotheticals here, but what if Dallas Mavericks owner Mark Cuban made a negative remark Russia that Russia took personally? Would that put the Mavericks database at risk? Would it put their season ticket holders information at risk? We already have precedent with the Sands Casino hack back in 2014 of a high profile individual making remarks that the Iranians didn’t like. You saw what happened there.
What responsibility did the Astros have to secure their own data? Doesn’t the blame, in part, fall on them? Yes Correa had to make the choice to infiltrate their network however it does appear that once inside he had full reign. One could argue that the Astros should have had an extra layer of authentication like an RSA key in order to gain access to their proprietary network.
Sports organizations with all their data and high profiles need to start looking at themselves in the context of everything else. While this case is about gaining access to player information and potential player acquisitions, it raises a much bigger question about sports franchises level as a target to outside actors. What if China decided to hack the New York Yankees or the Dallas Cowboys and release all of the season ticket holder info? Two iconic American brands hacked because the US Government did something that the Chinese didn’t like.
Impossible? It’s really not that far off. In any event Correa isn’t a terrorist or a state sponsor of one. He isn’t an Eastern European criminal gang but he is going to prison none the less. And one last point, neither of these teams have won the World Series in the last few years so is 46 months really a fitting punishment?