Major League Strikeout | MLB Hacker Sentenced

Former Major League Baseball director of scouting for the St. Louis Cardinals, Christopher Correa, has been sentenced to 46 months in prison for hacking the scouting records and email system of the Houston Astros. Correa “repeatedly viewed confidential information” on the Astros scouting database using “sophisticated means” to hide his identity. Correa’s actions violated the “Computer Fraud and Abuse Act” Federal Law, which prohibits unauthorized access into another business’s computer with the intent to steal data from that computer. Hence, the lengthy sentence. However, the important piece of information to note here is how Correa gained access to the Astros database.

A former colleague of Correa’s, Jeff Luhnow, left the Cardinals organization to become the General Manager of the Houston Astros. Correa apparently knew Luhnow’s login credentials/password while they worked together and used the old password to gain access into the Astros system.

This seems to be an awfully big Cyber-related case for a risk that could have been easily mitigated by employing several simple company policies.

1. Never share your password with anyone – This statement is now akin to “don’t talk to strangers.” Never leave your password on your desk or attached to the underside of your keyboard
2. Enforce regularly scheduled password updates – Require employees to change their password every 60 days. If that seems extreme try 90-120 days
3. Require strong passwords – Strong passwords include a minimum of 8 characters; uppercase and lowercase letters, numbers, and a special character. The name of your dog, or child’s birthday may be too easy to guess and simple software packages will be able to break weak passwords with ease
4. Remove access credentials for terminated employees – Procedures should be in place to ensure all remote access to company systems is cut off immediately, once someone resigns or is terminated
5. Employ Two-Factor Authentication – Equip users with a means to generate a randomized, quickly-expiring token that they are required to enter when logging into corporate systems. This multi-factor authentication allows companies to protect against compromised user credentials

This case clearly demonstrates that overlooking simple cyber risks may lead to a major breach.

Click here if you’d like help with structuring your cyber risk mitigation program or to request more information about The ALS Group.