Chris Correa, former scouting director for the professional US baseball team St. Louis Cardinals, on Monday was sentenced to nearly four years in prison for hacking a competing Major League Baseball team’s player-personnel database and email system.
In January, Correa pleaded guilty to five counts of computer hacking under the Computer Fraud and Abuse Act (CFAA) hacking statute.
Correa started working for the Cardinals in 2009 and was fired a year ago after he admitted to accessing the Astros’ database from 2013 to at least 2014.
ESPN reports that that’s the same year Correa was promoted to director of baseball development in St. Louis.
He’s looking at 46 months behind bars and a court order to pay $279,038 in restitution. It could have been worse: Correa could have been handed up to five years’ jail time on each count, though maximum sentences are rarely handed out.
According to ESPN, Correa read a letter in court before being sentenced by US District Court Judge Lynn Hughes, in Houston.
He told the court that he was “overwhelmed with remorse and regret for my actions.”
I violated my values and it was wrong … I behaved shamefully. The whole episode represents the worst thing I’ve done in my life by far.
The actions he’s regretting didn’t exactly constitute what you’d call sophisticated hacking.
Rather, it involved guessing at the passwords Astros General Manager Jeff Luhnow used when he worked overseeing drafts for the Cardinals, which he never bothered to change when he got hired as general manager for the Astros.
When Luhnow went on to leave the Cardinals, he handed over his work-issued laptop to Correa.
That allowed Correa to get at his ex-employee’s password for the Astros’ private, online database, called Ground Control, as well as access to Luhnow’s Astros-issued email account.
Luhnow, unfortunately, made it easy for Correa: while at the Cardinals, he was using a variant of the password he used while he worked for the Astros.
As we’ve explained, a reused password can effectively become a skeleton key to your whole online life.
We don’t know what password/password variant was at the heart of this baseball-centric series of database break-ins. But we do know the right way to pick a proper password: here’s a short, sweet video that shows you how.
The lack of a strong password is what enabled Correa to gain unauthorized access to an internal network of the Houston Astros and enabled the theft of closely guarded information about players, including internal discussions about trades, proprietary statistics and scouting reports.
In short, this is a case of corporate espionage.
Even if your password is “Password,” that doesn’t make it right, or even remotely legal, for somebody to break into your accounts.
Still, this is yet another example of how weak passwords have no place anywhere in an organization that has trade secrets to protect.
The same goes for individuals who have personal and financial data to protect: in short, all of us!
Eric Terrell
That headline is very misleading. The conviction was for breaking into computer systems, not “guessing a password”.
brianc6234
Not really though. The guy who left the Cardinals for the Astros was stupid enough to use his old password on his new job. That isn’t breaking in, it’s just logging in. It’s crazy this guy got almost five years in prison for that but Hillary Clinton didn’t even get charged and she broke some serious laws.
Gerry Vrbensky
It’s not as if there have been endless warnings to have a secure password, with today’s savvy hackers, the onnas is has to be on whoever is responsible to maintain the companies security.
If Chris Correa hacked in by guessing the password, then it was wrong for him to do what he did but the punishment should be shared. Short of that he deserves what he got.
KEN
Also the article did not say how he was caught at it.
gregpbarth@gmail.com
But this guy only got 2 years…
https://nakedsecurity.sophos.com/2016/07/15/serial-swatter-stalker-and-doxer-mir-islam-given-2-years-prison/
Seriously broken system.
Lisa Vaas
10 months’ worth of Astros’ internal discussions about trades was posted online at Anonbin back in June 2014. http://deadspin.com/leaked-10-months-of-the-houston-astros-internal-trade-1597951970
Major League Baseball notified the FBI, under the impression that the Astros had been hit by a rogue crook – certainly not by another major league baseball team.
That’s when the investigation started. It soon led to a computer at a home that some Cardinals employees had lived in.
Every move in this “hacking” game reflected security fouls: reusing passwords, leaving a clear path to your home IP address because it doesn’t occur to you to use an internet cafe to do your snooping, Luhnow’s having built a proprietary database and then just tucking it under his arm when he walked out the door, leaving 2FA out of the design of this precious repository of baseball knowledge (indeed, 2FA could have made this so-called “hack” impossible to pull off), and showing off your ill-gotten goods on a public paste site for all to see (not what you’d call subtle!).
Bryan
Holy smokes. Four years for cracking a sports team database, while Mir Islam received only two years (less time already served) for doxing and swatting 50+ people, endangering actual lives.
Anonymous
It does seem like Mir Islam was very fortunate, given the severity of SWATting as a crime. Perhaps the court was harder on Chris Correa because he abused the trust that was supposed to go with the job?
Also, perhaps Mir Islam was able to strike a better than expected plea bargain because he “secretly agreed to cooperate with federal authorities” (as the Naked Security article says). Wheels within wheels…
Bryan
True, Correa abused explicit trust expected of his job, but by endangering lives Mir Islam betrayed the implicit trust placed upon all citizens. Both guys doubtless “knew better.”
If he got a good plea bargain through cooperating with authorities, my inner idealist would like to see that deal rescinded the moment it’s discovered he’s still committing crimes while playing both sides of the fence. To me that illustrates far more self-centered behavior and less remorse.
Paul Ducklin
As for “playing both sides of the fence” in respect of cybercrime, see the story of Hector Xavier Monsegur, aka “Sabu”:
https://nakedsecurity.sophos.com/?s=Sabu
Bryan
I read the first three, which had the same “mugshot” for a cover photo. The first didn’t appear to suggest what I mean, but the second did…I think. And yes; same thing.
It seems cooperating with authorities not only implies strongly you’ll be forgiven (or wrist-slapped) for *everything* you’ve already done, but it even carries forward immutable immunity.
I understand LE must provide incentive to turn against one’s co-conspirators, but immunity should conditionally exist as sort of an inverse** of “ex post facto.”***
“You’re now an unofficial undercover agent and therefore must now behave like a good guy for this to work out.” Lethal Weapon 2 already taught us that diplomatic immunity can go too far…
*** I am not a lawyer; dibs on the blurry dictionary.
** I’m not a mathematician; blurry dictionary twice.