Hacking just hit the major leagues. Professional sports has a long inglorious history of subterfuge---remember the New England Patriots' SpyGate? Or that time Formula One team McLaren "came into possession" of all those documents describing Ferrari's tech? Dirty tricks are nothing new---and neither is digital espionage---but for the first time the two have come together to rock Major League Baseball.
The New York Times reports that the FBI is opening an investigation into the St. Louis Cardinals for allegedly hacking into the Houston Astros network to steal personal data about players. The breach first came to light last year after information taken from the Astros' "Ground Control" database appeared online.
The Astros and the Cardinals, obviously, but also every baseball player in the major and minor leagues. Why? Because baseball teams are competing for a very scarce resource: players. And it was fundamental info on this coveted resource that was allegedly breached in this hack.
Officials told the Times that the Cardinals obtained "internal discussions about trades, proprietary statistics and scouting reports." The privacy of Houston Astros officials having these conversations was violated, as was the personal data of current, former, and prospective players.
One side effect of this hack may be increased silence from general managers, sports writer Jonah Keri tells WIRED. "GMs and other executives might start seeing the risk vs. reward equation differently, and thus start offering less information. We're already seeing it with a bunch of new-generation GMs. Something like this story might just accelerate the process."
When the hack was first uncovered last year, the Astros believed it to be the work of rogue hackers, but the FBI has homed in on Cardinals front office officials after tracing to the attack to one of their homes. The Times indicates they were possibly motivated by a grudge with their former coworker and current Astros General Manager Jeff Luhnow.
The FBI is handing out subpoenas to Cardinals and MLB leadership, though they are not saying which Cardinals employees are specifically under investigation.
The old-fashioned way: allegedly by stealing the Astros' password.
It's no coincidence that the Cardinals chose to spy on the team now being managed by one of its former executives. The Times reports that Ground Control is similar to a database Luhnow built for the Cardinals before leaving. Investigators told the Times that Cardinals officials "examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals." Working off that list, they appear to have guessed the Astros password. If that is how they got in, there's nothing sophisticated about this hack.
Well, let's put it this way: the Cardinals managed to access the Astros' most valuable intellectual property. Those reports on prospective players are the secret sauce of a professional sports team, revealing not just how the team feels about any given player but what its overarching philosophy toward the game is. In our post-"Moneyball" world, sports teams are increasingly analytical about building their rosters. And the Houston Astros are at the forefront of that innovation.
When Jeff Luhnow left to become the Astros General Manager, he pivoted the team's strategy to be decidedly radical in its approach. After a few bumpy years, his approach has paid off: the Astros now have some of the best players in baseball. He built and championed Ground Control, telling Bloomberg last year that the database served as "the repository of the organization’s collective baseball knowledge---the Astros’ brain."
The Cardinals appear to have plugged directly into that brain.
"It's certainly information that could be used to undermine the Astros," Joshua Green, the author of the Bloomberg article on Ground Control, told WIRED.
We imagine every general manager in baseball is changing their passwords right about now. Let this be a reminder to us all: never reuse passwords. And, come on, don't write passwords down, either.
