Last year, the story broke about a Cardinals baseball executive who was accused of hacking into the Houston Astros. Today, after a thirteen month FBI criminal investigation, 36 year old Christopher Correa, the former Director of Baseball Development for the Cardinals, pleaded guilty to five counts of unauthorized access of a protected computer. As part of the guilty plea, Correa was sentenced to 46 months in prison, to be followed by a two-year term of supervised release. He must also pay $279,038.65 to the Astros for damages he caused them by his actions.
In handing down the sentence, US District Judge Lynn Hughes chastised Correa for his actions, stating that he has caused baseball teams to have tighter and more intrusive security and made it harder for team employees to do their work and live their lives. He refused to accept Correa’s apology and his statement that he “acted recklessly” , telling him instead that he “intentionally and knowingly did those acts.” US Attorney Kenneth Magdison thanked investigators for conducting the thorough research and evaluation of the crime and the Court for accepting the plea and sentencing recommendation, which he said fit the seriousness of the crime, and stated that “today, justice was done.”
What did Correa Do?
The breach apparently started when a Cardinals employee went to work for the Houston Astros. Using information on the former employees computer, Correa figured out how to hack into the employee’s new account on the Houston system, supposedly in part because the employee used a password there which was similar to his old one on the Cardinals system. Once in, Correa repeatedly hacked into multiple areas of the proprietary and confidential “Ground Control” database used by Houston to track and evaluate talent. This included detailed analytics information, scouting reports, and lists of players the Astros planned to draft. According to the official FBI press release, “All parties agreed that Correa masked his identity, location, device used, and that the total intended loss for all the intrusions is approximately $1.7 million.” Thus far, no other members of the Cardinals organization have been charged.
Why the plea agreement?
One can only speculate, but there are several factors why it may have gone this way. First, from the government’s perspective, getting a high-profile conviction and a significant sentence without investing time and resources in a trial, along with the risk of a loss at trial, is extremely attractive. Part of the purpose of criminal investigations and prosecutions is to serve as a deterrent effect. Today’s decision doubtless had that effect, as potential or undiscovered perpetrators of similar misdeeds in MLB or other organized sports received a clear and unequivocal signal that there will be extremely bad consequences if you do these things and are caught.
Second, and more speculatively, it may have something to do with further prosecutions. The charges on which Correa pleaded guilty were a selection of what the investigators found. The Feds may have been waiting for the Correa case to be over before proceeding to charge other individuals, or potentially the team itself. On the other hand, an agreement to not proceed with such charges may have been instrumental in obtaining the guilty plea, with other potential defendants strongly encouraging a bright young professional who would probably like to work in the game again in the future to “fall on his sword.” Again, there is nothing in the information published thus far to support anything of this nature, but it is plausible, and would fit with the facts and circumstances. We will all have to see what develops.
Why is this important?
Correa was charged for violating laws normally used to catch and convict corporate spies, unscrupulous Wall Street types, identity thieves, agents of foreign governments trying to obtain defense and state secrets, and a variety of other criminals. They were not aimed at or intended for baseball or other professional sports, but do not exclude them either. The laws exist to deter and punish individuals or organizations who engage in such behavior. Individuals who chafe at having to regularly change and strengthen passwords and resent having to pay for Life Lock (sm) and other identity / credit protection services should understand the unintended consequences of actions like those undertaken by Correa. What he did is not much different from the stories we read about Chinese cyberspies hacking into and stealing confidential data from US defense companies, or the criminals who recently stole identities and credit card information on tens of thousands of customers at Target. It just had not happened in baseball.
Until it did, that is. Because of his actions, baseball teams will have to hire IT security experts and invest significant dollars in hardware and software to protect themselves from similar attacks by others. These are dollars that could have been used for player salaries or to promote youth baseball in the inner city, among other things, but will instead be “wasted” on agency costs of IT security which are now necessary, but which add no value to the sport. In addition, system users will have to engage in much more secure behavior, encrypt files, use more complex passwords, change them more frequently, and otherwise be inconvenienced because of what Correa did.
What Happens Next
When the story broke, MLB suspended its own investigation and action pending the legal criminal investigation and judicial proceedings. As far as Mr. Correa is concerned at least, that phase is over. The Office of Commissioner Rob Manfred announced that it will now conduct its own investigation as a follow-up to the work done by the Feds, and will issue its own report and punishment(s).
We won’t know the outcome of this next phase for a few months. What is likely is that there will be consequences for Correa from MLB in addition to those he faces from the government. These could include additional fines and / or a suspension from baseball. Perhaps, in the ultimate irony, Mr. Correa could be banned for life from baseball and obtain employment handling IT Security at Pete Rose’s Hits King establishment in Las Vegas. (Just kidding.)
There could be consequences for the Cardinals as well. According to ESPN writer Mark Saxon, the Commissioner’s comments on the subject at an ASG week press conference that this appeared to be “roguish behavior by one employee and not a systemic organizational problem” may indicate that he agrees with Cardinals CEO Bill DeWitt that the team did not encourage the practice and knew nothing about it. If so, they may get off lightly. Still, to paraphrase the Watergate Era line “How much did the President know, and when did he know it,” a key question is “How much did the Cardinals know, or have reason to know, and when, and how much did they benefit from that knowledge?” Even if they knew nothing, they undoubtedly benefitted from Correa’s illicitly obtained information for several years. How many players did they sign or avoid, and how many prospects did they deny the Astros, because of their illegal insider information? The Commissioner could fine the Cardinals as a club or individual members of the organization, reduce future prospect signing pools, void contracts, take away future draft choices, and any combination of the above.
Commissioner Manfred will most likely take three main factors into account in making his decision. First, how much did Cardinals management, particularly Correa’s bosses know, or at least suspect and tolerate. Second, how much did the Cardinals, knowingly or unwittingly, benefit from these actions? Finally, how much of a deterrent does he want to establish against similar actions by other MLB clubs? If only for this reason, intended to minimize the degree to which teams have to invest energy and resources to protect themselves, he may want to impose draconian consequences on the Cardinals.
The FBI investigation into the data breach of the Houston Astros proprietary “Ground Control” database system is now concluded. It turns out that it was as bad as some observers, including me, initially suspected.
Former Cardinals employee Chris Correa confessed to multiple charges and will serve a 46 month prison sentence, plus two years of supervised release, and also pay roughly a quarter million dollars in restitution.
The fact that the plea was offered and accepted clearly implies the government had significant additional information and wanted to wrap up the case against Correa with little further investment of time and resources and without trial risk. No one else has been charged thus far, but potentially that could change, depending on what else the Feds have, what they want to do with it, and what was agreed to in private in the plea deal with Correa.
What Correa and the Cardinals did is extremely serious, and the sentence reflects that fact. The laws under which he was prosecuted are the same ones used against serious corporate and international spies, and against identity thieves. It could have gone even worse for him.
Because of this event, teams will undoubtedly have to invest large sums of money in consultants, hardware, and software designed to protect their proprietary and confidential IT systems, and require employees to use stronger passwords, change them more often, and as the judge stated, make their work and lives more complicated. All of this adds absolutely nothing of value to the game, but is made necessary by what happened.
The Office of the Commissioner of Baseball will now conduct its own investigation, and may impose additional punishment on Chris Correa, on other members of the Cardinals organization as individuals, or on the Cardinals organization itself. Part of his motivation will doubtless be punishing those who did wrong, and also to provide a strong deterrent against such behavior in the future.
For those interested in the details of the Federal investigation and judicial proceedings, here is a link to the official press release.