(Updated 2:00 p.m. Wednesday with further statements from the St. Louis Cardinals.)
In a statement released Wednesday, Cardinals general manager John Mozeliak and team chairman Bill DeWitt Jr. strongly condemned the alleged hacking.
"These are serious allegations that don’t reflect who we are as an organization,” DeWitt said. "We are committed to getting to the bottom of this matter as soon as possible, and if anyone within our organization is determined to be involved in anything inappropriate, they will be held accountable."
As soon as the team became aware of the investigation several months ago, officials retained former U.S. attorney James G. Martin, with the law firm Dowd Bennett, to conduct an internal review and provide the information necessary to federal investigators. Martin said the review was not yet complete, and that he would not say anything more to avoid jeopardizing the ongoing federal investigation.
(Our original story)
The FBI and Justice Department are investigating whether front office personnel for the St. Louis Cardinals hacked into Houston Astros' computer networks that contained player statistics, information about trades and other sensitive data, The New York Times reports.
"Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager who had been a successful and polarizing executive with the Cardinals until 2011," the Times report says.
The Cardinals issued this statement Tuesday morning: “The St. Louis Cardinals are aware of the investigation into the security breach of the Houston Astros’ database. The team has fully cooperated with the investigation and will continue to do so. Given that this is an ongoing federal investigation, it is not appropriate for us to comment further.”
The actual intrusion
According to the New York Times, the alleged intrusion was not very sophisticated. Jeff Luhnow was an executive with the St. Louis Cardinals before he became the Astros general manager in December 2011. The Cardinals officials had allegedly kept a list of passwords used by former executives, including Luhnow, and used that information to gain access to the Houston network.
“As a Cardinals fan, I’m disappointed. As a cybersecurity practitioner, I’m not surprised to find that a password hadn’t been changed,” said Paul Frazier, a cybersecurity expert and adjunct professor at Webster University. “That’s the first thing we teach in cybersecurity is change your password, so the developers can’t find their way back in.”
It’s not that hard for the FBI to figure out that someone’s been somewhere in cyberspace they shouldn’t be, Frazier said.
“Everybody leaves a trace as to where they’re talking from,” he said. “So through the use of their machine access codes and internet protocols, [the FBI] will be able to go back and figure out right down to the machine and time of day the hack occurred, and whether or not the machine was owned by a person in the St. Louis Cardinals organization. They’ll even be able to tell who was logged in at the time.”
The vast majority of so-called “hacking” cases are prosecuted under 18 USC § 1030, the Computer Fraud and Abuse Act, though various state and local laws also apply. The federal law has been around in its current form since 1986.
“It’s a broad and very powerful tool for the federal government,” said Paul Ohm, a former prosecutor for the U.S Department of Justice’s Computer Crime and Intellectual Property Section who is now an associate professor at the University of Colorado Law School. “It’s often analogized to physical trespass.”
At its most basic level, the law punishes those who obtain information after accessing a computer without permission. The “hack” must also result in a person obtaining information, but that’s a pretty low threshold to meet, Ohm said.
“Courts have said, ‘look Congress didn’t say you have to download and save a copy of information,’” Ohm said. “If it crosses the network and appears on your screen, that’s good enough for a crime. Casual poking around still satisfies the criminal provision.”
Ohm said the alleged intrusion is like dozens of others prosecuted by the federal government day in and day out.
“What seems most novel about this to me is the actors involved,” he said. “If this was just two titans of industry fighting it out and one of them allegedly crossed the line and FBI got involved, I doubt most of the world would have taken this much notice. I certainly wouldn’t have.”
What’s at stake
The Computer Fraud and Abuse Act authorizes prison sentences of up to 20 years, though Ohm said it’s unlikely that first-time offenders would receive penalties that stiff. He said the Astros could also pursue civil claims against the Cardinals for theft of trade secrets.
Chip Pitts, a former chief legal officer for Nokia and lecturer at Stanford Law School, said he did not believe such inter-team hacking was widespread in baseball.
“Baseball learned its lesson from the earlier corruption scandals in the 20th century that it is a prized institution, and the best results for the teams and their stakeholders come from fair competition on the field.”
And he said any allegations of impropriety could hit the Cardinals especially hard.
“When they’re accused of cheating, it’s really unfortunate,” Pitts said. “It’s somewhat reminiscent of Lance Armstrong. When a perceived winner cheats, it’s even worse.”
Both the Cardinals and Major League Baseball said they were aware of the federal investigation into the security breach, and were cooperating fully. The league went on to say, “Once the investigative process has been completed by federal law enforcement officials, we will evaluate the next steps and make decisions promptly.”
A spokeswoman for the FBI office in St. Louis referred all questions to the Houston bureau. A spokeswoman there would not confirm or deny the existence of that investigation, but released the following statement:
"The FBI aggressively investigates all potential threats to public and private sector systems. Once our investigations are complete, we pursue all appropriate avenues to hold accountable those who pose a threat in cyberspace."
Follow Rachel Lippmann on Twitter: @rlippmann