Personnel for the St. Louis Cardinals, an American Major League Baseball (MLB) franchise, are currently under investigation by the FBI, accused of hacking into the internal network of the Houston Astros, another MLB team (and Alert Logic’s hometown team). This is the second database hack for the Astros in just over a year. The breached data included intellectual property that the Astros organization has collected on players and prospects. 2014 was a very successful year of recruiting for the Astros organization, due in part to the diligence of their scouts recognizing and picking promising recruits.
This is a classic example of corporate espionage. The data was taken by individuals working in the St. Louis Cardinals organization; the breach was tracked to the home of a few of those individuals. This is obviously the work of rookies—hackers typically know not to hack from their homes.
The Astros organization confirmed the following were compromised:
- A database containing sensitive trade data and analytics
- Internal discussions about trades and proprietary statistics that appeared to originate from an email server
- Scouting reports that show the potential of prospects
During last year’s breach, Astros General Manager and former Cardinals employee Jeff Luhnow said “We’re doing everything we can to upgrade our security to make sure it doesn’t happen again. It’s unfortunate [the information’s] out there and it’s unfortunate that other teams are affected and individual players. It reflects the age we live in. People are trying to steal information, get information, whether it’s legally or illegally.”
Unfortunately, he and other staffers that followed him forgot the basic security of changing their passwords. According to the article from the New York Times, The attackers used passwords that they had known were used by Luhnow and others while he was still working for the Cardinals organization.
It is becoming almost everyday news that a data breach has occurred. We can’t ignore the signs we see every day. We need to protect and secure the data that we are all stewards of as IT and security professionals. People depend on your brand reputation and assume you will protect the data they entrust to you.
A portion of the data stolen was leaked on a site called DeadSpin. With that in mind, this is a good example of how searching for lost or stolen data regarding your organization on the internet pays off. You may invest in your technology, people and process, but you have to make sure that the basics, such as password management, are implemented and monitored.