The Federal Court came down hard on a former scouting director for the St. Louis Cardinals on Monday, sentencing Christopher Correa to almost four years in prison for hacking into a computer system that belongs to the Houston Astros.
Correa, who until last summer served as Director of Baseball Development for the Cardinals, was sentenced to 46 months in federal prison and ordered to pay $279,038 in restitution. Correa was fired from the team in July 2015, shortly before being indicted and arrested in connection to the hack.
In January, prior to yesterday’s sentencing, Correa pleaded guilty to five counts of unauthorized access of a protected computer to Lynn Hughes, a United States Judge for District Court for the Southern District of Texas in Houston. At the time, Correa claimed he had accessed the Astros’ database because he believed the team was in possession of Cardinals proprietary information, something the Astros went onto to deny.
While the sentencing may sound steep, the charges are about in line with those leveraged around the go-to law on hacking, 1986’s Computer Fraud and Abuse Act (CFAA). The charges are actually less than the maximum Correa had faced for each count initially: a penalty of five years in federal prison and a maximum fine of $250,000.
News of the breach first surfaced in June 2014 when Astros GM Jeff Luhnow – who scouted for the Cardinals from 2003 through 2011 – told reporters that someone had accessed the team’s servers and trade talks.
It was unclear if there would be any repercussions until the FBI announced last summer that it was investigating whether front office personnel with the Cardinals carried out the hack.
Like many sports clubs these days the Astros are a team dependent on sabermetrics, the empirical analysis of baseball. Numbers on a player’s batting average on balls in play, how to measure a player’s overall offensive contributions per plate appearance, what a player’s ERA would look like if the pitcher league average results on balls in play, and so forth feed into a computer program the Astros use nicknamed Ground Control.
A few months before Luhnow acknowledged the breach in 2014, the team was forced to disable Ground Control and shore up its security, around the same time a Houston Chronicle article made its existence known. At the time it was uncertain whether a security vulnerability existed in Ground Control or the fact that an unauthorized employee had accessed data prompted the fix.
The FBI claims Correa was able to gain access to Ground Control by using a password that was similar to that used by a Cardinals employee who turned over his Cardinals-owned laptop, along with its password, to Correa in 2011.
Correa reportedly downloaded an Excel spreadsheet of the Astros’ scouting notes on each player eligible for the draft in 2013. He also viewed a Ground Control page that detailed trade discussions, bonus details, statistics, and notes on injuries and performances by Astros prospects.
All said, Correa was in the team’s network for two years and accessed data 60 times, according to Giles Kibbe, the general counsel for the Astros, on Monday.
New info from Giles Kibbe, Astros general counsel: Christopher Correa accessed Astros database 60 times on 35 days from March ’13-June ’14.
— David Barron (@dfbarron) July 18, 2016
In January the Justice Department claimed that Correa accessed sensitive player information before critical baseball dates like the 2013 amateur draft and before that summer’s non-waiver trade deadline. Federal prosecutors claimed on Monday the way Correa used the hacked data to draft players cost the Astros roughly $1.7 million.
Luhnow went on the defensive last summer in an interview with Sports Illustrated, claiming poor password protection was not to blame for the hack.
“I absolutely know about password hygiene and best practices,” he told the magazine, “I’m certainly aware of how important passwords are, as well as of the importance of keeping them updated. A lot of my job in baseball, as it was in high tech, is to make sure that intellectual property is protected. I take that seriously and hold myself and those who work for me to a very high standard.”
Luhnow, who left St. Louis to become Houston’s GM in 2011, has been a key figure in the Astros’ turnaround the last few years. The team lost a staggering 324 games from 2011 to 2013 but made the playoffs last year for the first time in a decade. The team lost in the American League Division Series to the eventual World Series champion Kansas City Royals, but at 50-43, are continuing to hold their own this year.
Major League Baseball is said to be conducting its own investigation around the hack but it’s expected the Cardinals will be hit with sanctions, either a fine or a loss of draft picks, in the near future.
Despite being equally nebulous and scrutinized, punishment for violating the CFAA, which prohibits unauthorized access into another computer with the intent to steal data from that computer, is usually severe.
Aaron Swartz, who purportedly downloaded thousands of academic articles from JSTOR without permission committed suicide in 2013 after facing 11 charges for violating the CFAA.
Just last week, in the case United States v. Nosal (.PDF) the Ninth Circuit Court of Appeals upheld a conviction by 2-1 that using someone else’s password, even with their permission, can be considered be a federal criminal offense. The decision hinged on the CFAA’s definition of “unauthorized access,” language that many opponents of the act, including a dissenting judge in the case and the Electronic Frontier Foundation, have argued is decidedly not clear-cut.
President Obama proposed amendments to the CFAA last year to redefine what it means to exceed “authorized access.” The move could elevate some convictions to felonies and double the prison sentences around hacking and if ratified, chill security research, experts argue. Seeking a balance, the amendment would also require the government to “make clear that trivial conduct does not constitute an offense,” according to the Justice Department, who said they have “no interest in prosecuting harmless violations.”
