Hacking into Ground Control – The Baseball Edition

Posted by Michael TitensIn times gone by, baseball teams seeking an unfair advantage turned to pine tar, spit, and emery boards.  Now we can add keyboards to that list.When proprietary information from the Houston Astros’ “Ground Control” database was published on the web last year, the FBI began to investigate the source of the breach.  This week the New York Times reported that the breach likely originated with one or more employees of the St. Louis Cardinals.Speculation about the motive for the hack has centered on Jeff Luhnow, a longtime Cardinals executive who created the “Redbird” player information database in St. Louis.  Luhnow left St. Louis to become the general manager of the Astros, where he created a database called “Ground Control” to house internal discussions about trades, scouting reports, and other proprietary data.  Were the Cardinals (or perhaps just one Cardinals employee) trying to glean additional wisdom from a former employee?  Was someone suspicious that Luhnow had taken Cardinals’ intellectual property with him to Houston?  We’ll have to wait for the federal investigations to run its course, but the sports world is abuzz as cybersecurity and corporate espionage hit home.This Cardinals vs. Astros matchup illustrates some cybersecurity principles applicable to any kind of business:1.  Cybersecurity is an issue for all businesses, not just retailers and financial institutions.  All companies should implement and monitor cybersecurity defenses and policies to protect their proprietary information and other valuable data.2.   Issues often arise when key personnel move to a competitor, especially in a data-driven business like scouting and analyzing baseball players (or even evaluating seismic data or potential acquisition targets).  Steps should be taken to identify and safeguard proprietary data when a key employee leaves.3.  Require employees to vary their passwords.  The Cardinals knew what passwords Luhnow used in St. Louis and reportedly used those same passwords to access the Astros network.  One commentator speculated that every GM in baseball is changing his passwords today, and I imagine that many are taking a hard look at their online shopping, banking and other passwords as well.  Using a single password online means that the compromise of one web service compromises them all.4.  Some data may be too valuable to store online or share by e-mail.  In 2013, after the NSA spying disclosures, a Russian official spoke of how Russian intelligence was updating their spycraft, by reverting to “the most primitive method . . . a human hand with a pen or a typewriter.”  Ever since that first Ground Control breach last year, Jeff Luhnow has been doing the same thing.