Hacking Your Rivals – Corporate Espionage in Major League Baseball

As we approach the dog days of summer, baseball season is again in full bloom. We previously discussed old-fashioned sign stealing in the context of teams trying to gain a competitive advantage during an actual game. But it appears these hijinks have evolved in today’s electronic world. As the New York Times first reported, the FBI and Department of Justice prosecutors are investigating front-office personnel for the St. Louis Cardinals, one of Major League Baseball’s most beloved franchises, for allegedly infiltrating the internal network of the Houston Astros.

Though this incident might be unprecedented in the competitive world of professional sports, it only illustrates the importance of organizations – whether large or small – protecting their trade secrets with adequate safeguards and programs. Indeed, nearly all corporations maintain similar databases with internal information about performance, customer lists, and corporate strategies – information that, if it reaches the wrong hands, could inflict significant damage on one’s business and reputation.

In this case, the investigation centers on the theft of valuable information about trades, proprietary statistics and scouting reports stored on the Astros’ internal database known as “Ground Control.” Initial reports suggest that the Cardinals penetrated the Astros’ internal networks by means of old passwords used by Jeff Luhnow and other Cardinals employees during their time in St. Louis. Luhnow is the current general manager of the Astros, but previously served as a member of the Cardinals’ front-office staff. In his first public comments, Luhnow has denied the implication that the hackers gained access to the Astros’ database because he failed to change old passwords.

But if these initial reports are true, they would not be surprising. Cybercriminals often use this simple intrusion method by selling passwords from one data breach to another on the underground market, where others can buy and test passwords on other websites, including brokerage and banking services.

If the government can prove these allegations, it could charge the Cardinals’ perpetrators under the Computer Fraud and Abuse Act (CFAA), a statute we have covered extensively in the past. The CFAA criminalizes unauthorized access to computer systems under federal law, and potential remedies include fines and prison terms. Criminal liability under the Economic Espionage Act (EEA) is also not out of the question. Outside of the criminal realm, the Cardinals and its employees may face civil lawsuits filed by the Astros under state and federal law.

As this unprecedented incident illustrates, no industry or organization is immune from corporate espionage concerns. Here are some basic steps every organization should follow to proactively guard against these risks:

  • Create strong password protection policies: Advise your employees to never re-use passwords they previously used with another employer or organization. Forbid employees from using the same passwords across different websites and services. And, finally, enact policies that require employees to regularly change their passwords.
  • Implement stringent programs, polices, and procedures that prevent employees who leave the company from taking valuable intellectual property. Create policies and procedures that prohibit key employees from sharing confidential information after they leave your company to work for a competitor, or in a similar capacity for another company. Instituting a vigilant monitoring program of competitor activities after hiring of former employees is another tact that can be very effective in insuring that your confidential information is not misused. You should remind your former employees, and their new employers, of the former employees’ obligations to protect such information and also carefully monitor competitor activities for any evidence of use of your confidential information, taking any legal action necessary to protect misuse by competitors.
  • Implement comprehensive training programs: Education is paramount. Training employees on the importance of electronic safeguards and password policies is critical; and companies must educate employees on what information is considered confidential. Employees should understand that electronic habits in the business context must differ from practices for accessing personal online accounts for email, financial records, as well as social media websites (including Facebook, LinkedIn, and Twitter).