[BreachExchange] Baseball Hacking Case Ends with Prison

[Audrey McNeil]

http://www.databreachtoday.com/baseball-hacking-case-ends-prison-a-9273

A former St. Louis Cardinals scouting director has been sentenced to 46
months in federal prison for illegally peeking at a player-drafting
database for the Houston Astros - a hefty term for a distinctly unique
hacking case.

Christopher Correa, 36, was accused of illegally accessing Ground Control,
a cloud-based database that held the Houston team's most critical
observations on potential players, and an Astros email account. He pleaded
guilty in January in federal court in Houston to five counts of
unauthorized access to a protected computer.

The case is unique because of the stiff sentence Correa received. It is
also likely the first ever cyber espionage prosecution relating to sports,
says Edward McAndrew, a former federal cybercrime prosecutor and now
partner with law firm Ballard Spahr.

"To see [cyberespionage] between two professional sports franchises in a
way that was meant to enable one to get a competitive advantage is
unparalleled in terms of its prosecution," McAndrew says.

The case also highlights serious errors made by the Houston Astros in
managing Ground Control, which was breached by separate attackers while
Correa was snooping for player scoops.

Harsh Sentence?

A first-time cyber offender, Correa faced up to five years in prison on
each count. Federal judges rarely stack counts when sentencing, so the
effectual maximum that Correa could have faced was 60 months. His 46-month
sentence is "significant" and shows intent by the judge to deter others,
McAndrew says.

Defendants have typically received much lower sentences in similar cases,
indicating U.S. District Judge Lynn N. Hughes aimed for a deterrent effect,
McAndrew says.

"Sending a message is, in fact, something that judges are supposed to
consider when they impose criminal sentences," McAndrew says. "And because
of the very unique nature of this particular crime and this particular
sentence, I think the judge was certainly doing that here."

Correa was also ordered to pay the Astros $279,038 in restitution. The team
lost an estimated $1.7 million as a result of the intrusions.

Correa received a slightly shorter sentence than that of Su Bin, a
51-year-old Chinese businessman who pleaded guilty to conspiring to hack
the computer networks of U.S. defense contractors, including Boeing. Bin
was sentenced on July 14 to 48 months in federal prison and fined $10,000,
according to Reuters.

"If one wanted to heckle this - while Mr. Correa's plea bargain is within
the ballpark - one would say he should get more than a two-month discount
off of a military-style hack," says Ira Rothken, a technology attorney
based in Novato, Calif.

Ground Control

The Houston Astros set up Ground Control in 2012 as part of a move away
from pen-and-paper notes. But the team struck out due to poor information
security practices.

Ground Control was a password-protected, internet-facing web service
containing detailed notes on players that the Astros was scouting, which
could have given clues as to which players the team might draft.

Correa, the Cardinals' director of baseball development, in December 2011
was given a laptop of a team employee who moved to the Astros. That
employee, referred to as Victim A, also turned over his password to Correa,
according to a court document.

Victim A then used a similar password for his Astros email and Ground
Control accounts. Correa discovered the variation and accessed both
accounts.

In a January hearing, Assistant U.S. Attorney Michael Chu described Victim
A's password as "based on the name of a player who was scrawny and who
would not have been thought of to succeed in the major leagues, but through
effort and determination he succeeded anyway."

"So this user of the password just liked that name, so he just kept on
using that name over the years," Chu said, according to a court transcript.

Scouting for Data

In his first intrusion in March 2013, Correa downloaded an Excel file that
contained the Astros' scouting list and how the players were ranked.

Three months later, he accessed Victim A's Ground Control account,
filtering results to only show players that the Astros were considering who
had not been drafted yet.

As Correa was poking around, the Astros faced a larger problem. In March
2014, the Houston Chronicle ran an in-depth story about Ground Control, and
unknown attackers accessed the database. The team then changed the
database's website address, and Ground Control users were also prompted to
change their passwords.

That's when the Astros made a critical mistake. Fearing that some users
would not change their passwords fast enough, it reset all Ground Control
accounts to a single default password and then emailed that password to all
users.

Correa kept his access, as he knew the new URL for Ground Control and saw
the default password emailed to Victim A. He then used the default password
to open the Ground Control account for Victim B.

The bungled security refresh by the Astros, which came too late, proved to
be costly. In June 2014, about 10 months' worth of information from Ground
Control was leaked online, Deadspin reported at the time. The Astros
undertook a security review, and Major League Baseball contacted the FBI.

When he pleaded guilty on Jan. 8, Correa admitted to the breach, saying
that he "trespassed the Astros' resources based on suspicions that they had
misappropriated proprietary work from myself and my colleagues."

Judge Hughes then asked Correa, "So you broke in their house to find out if
they were stealing your stuff?"

"Stupid, I know," Correa responded.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160719/795b9a1e/attachment.html>