Feds Confirm Cardinals Accessed Astros System With Old Password, File Unauthorized Access Charges
from the the-cardinal-way dept
Sports fans in the city of St. Louis are having a rough go of it lately. Fresh on the heels of losing their football team to Los Angeles, now we are learning that the federal government has charged former Cardinals scouting director Christopher Correa with unauthorized access into the Houston Astros computer systems. While some had speculated that the government would go after the Cardinals under the Economic Espionage Act, it’s beginning to look like our original assumption that the CFAA would be the tool the government would wield has been proven correct. Also appearing to be correct were reports that the “hacking” that took place in this instance was of the less hack-y variety and more of the let’s-try-the-guy’s-old-password-y.
Correa illegally accessed the Astros’ computers in the following way: In December 2011, as Victim A prepared to leave the St. Louis Cardinals and join the Houston Astros, he was directed to turn over his Cardinals-owned laptop to Correa — along with the laptop’s password. When Victim A joined the Astros, he re-used a similar (albeit obscure) password for his Astros’ email and Ground Control accounts. No later than March 2013, Correa began accessing Victim A’s Ground Control and Astros’ email accounts using this variation of the password to Victim A’s Cardinals laptop.
Note that Victim A is Jeff Luhnow, now Astros General Manager and former Cardinals employee, while Ground Control is the name for the Astros’ player scouting database. As far as competitive information goes, this is the treasure chest for any baseball team. At the court hearing, Correa entered a plea of guilty, claiming that he only accessed the Astros’ systems because he believed that propietary information from the Cardinals’ club had been taken first. Correa followed that up by admitting that such reasoning was “stupid.”
And indeed it is stupid, given the penalties that can be assessed for his crime.
The parties agreed that Correa masked his identity, his location and the type of device that he used, and that the total intended loss for all of the intrusions is approximately $1.7 million.
Each conviction of unauthorized access of a protected computer carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine.
Given the plea deal, and the fact that Correa isn’t a young man pushing back at the government in trying to change the world, I expect that the jail time will be minimal if any. Which is probably unfortunate, because as far as CFAA cases go, this is one where actual crimes have been committed.