Former Cardinals Official Pleads Guilty to Hacking Into Astros� System
?A former St. Louis Cardinals official pleaded guilty Friday? to�a baseball hacking incident that drew attention from security experts and sports fans alike.
Former St. Louis Cardinals director of baseball development Christopher Correa, 35, pleaded guilty to five counts of unauthorized access of a protected computer in the Houston Astros� system. No one else associated with the Cardinals organization has been charged.
�We have secured an appropriate conviction in this case as a result of a very detailed, thorough, and complete investigation,� said U.S. Attorney Kenneth Magidson of the Southern District of Texas in astatement.? �Unauthorized computer intrusion is not to be taken lightly. Whether it�s preserving the sanctity of America�s pastime or protecting trade secrets, those that unlawfully gain proprietary information by accessing computers without authorization must be held accountable for their illegal actions.��
According to a plea agreement, Correa hacked into an Astros� system created bygeneral manager Jeff Luhnow?, a former Cardinals executive who left the team in 2011.
The Houston Astros and the Cardinals, �like many teams, measured and analyzed in-game activities to look for advantages that may not have been apparent to their competitors,� according to the U.S. Department of Justice (DOJ). �To assist their efforts, the Astros operated a private online database called Ground Control to house a wide variety of confidential data, including scouting reports, statistics, and contract information. The Astros also provided e-mail accounts to their employees,� and these e-mails and Ground Control could be accessed through password-protected accounts.
In the�plea agreement, Correa said that between March 2013 and at least March 2014, he illicitly accessed the Ground Control and/or e-mail accounts of other people to gain access to the Houston Astros� proprietary information.�
On one occasion, Correa said he was able to access scout rankings of every player eligible for the Major League Baseball draft. He also used his unauthorized access to view the Astros weekly digest page, �which described the performance and injuries of prospects who the Astros were considering, and a regional scout�s estimates of prospects� peak rise and the bonus he proposed be offered,� the DOJ said.�
Correa also hacked into the Astros system in March 2014. The Astros reacted by requiring all its system users to change their passwords to more complex combinations, along with other security precautions. The Astros also reset all of its Ground Control passwords to more complex default ones, and e-mailed the new default password and Web address information for the database to users.
Correa then �illegally accessed the aforementioned person�s e-mail account and found the e-mails that contained Ground Control�s new URL and the newly-reset password for all users,� the DOJ explained. �A few minutes later, Correa used this information to access another person�s Ground Control account without authorization. There, he viewed a total of 118 Web pages, including lists ranking the players that the Astros desired in the upcoming draft, summaries of scouting evaluations and summaries of college players identified by the Astros� analytical department as top performers.�
The FBI and the DOJ began investigating the St. Louis Cardinals for suspected hacking into the Astros� internal networks in June 2015. The investigation marked the first time a professional sports team came under scrutiny for corporate espionage against a rival.
The St. Louis Cardinals also initiated its own investigation into the hacking allegation. However, the team has not commented on Correa's guilty plea or released its findings.
"Because the court proceedings in this matter will not be completed until Mr. Correa's sentencing, we have been advised that it would be inappropriate to comment at this time," the Cardinals said in a statement Friday, according to MLB.com.
The total intended loss for all of Correa�s intrusions is approximately $1.7 million. Correa has not been sentenced yet, but each conviction of unauthorized access of a protected computer carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine.�His sentencing hearing isscheduled for April 11.