America’s oldest pastime has had a series of tech problems lately, ranging from the humorous to the scandalous. In a recent game, the Philadelphia Phillies could not call the bullpen for a new pitcher because the phone was off the hook. This left a position player on the mound and fans of other teams laughing. Last month, the Boston Red Sox benched Pablo Sandoval for a game after he “liked” a few Instagram pictures mid-game. While these incidents were comical, the St. Louis Cardinals’ alleged hacking is far more serious, for several reasons – possible criminal activity, potential civil liability, and perhaps most importantly, the sports world showing that it too is vulnerable to hacking and privacy breaches, whether the hack occurs within a league or comes from the outside.
The FBI is investigating the Cardinals after discovering multiple security breaches to the Astros’ databanks. And we can be certain of one thing: whether or not the Cardinals organization is at fault, the public does not yet have all the facts. Just days after the initial public disclosure of the investigation, the FBI disclosed that at least one additional hacking source was discovered, and still we have no certainty regarding the identity of any of these sources or the culprits. Federal officials reported that at least one of these breaches went through a popular identity-disguising network, called Tor, or “the onion router.” The network uses volunteer-operated servers that direct a user’s internet traffic through “virtual tunnels” instead of directly to their desired website. One Astros breach was traced back to a couple in Indiana, though officials believe they are merely unknowing participants in the Tor network.
Officials traced another breach in the Astros’ system to a home in Jupiter, Florida — the site of the Cardinals’ spring training facility. This and other evidence led the FBI to believe that the Cardinals might be stealing more than just bases, but it’s speculation at this point. If, in fact, if there is inter-team hacking within baseball, that’s terrible for baseball, for sports and for consumers, and any such wrongdoing must be punished. But the investigation itself highlights a bigger issue – there’s now yet another huge industry that could be subject to cyberattacks.
If there was criminal activity, the responsible part(ies) should of course be punished. Corporate espionage occurs for a variety of reasons, and the sports world is no different. And in the event it is proven that the Cardinals are responsible here, their motives have yet to emerge, but most generalist theories pontificate that it might lead back to general manager Jeff Luhnow. Now with the Astros, Luhnow started his career with the Cardinals. Some speculate that the Cardinals targeted information pertaining to Luhnow’s use of sabermetrics, the complex statistics to evaluate players. Others believe the alleged breach may have been purely motivated by revenge, regardless of where responsibility may fall. The Cardinals’ front office has disclaimed any organized attempt to undermine the Astros and say they are cooperating with authorities in their search.
A hacking attempt can be prosecuted under 18 USC § 1030, the Computer Fraud and Abuse Act (CFAA), as well as various state and local laws. The CFAA protects computers used in or affecting interstate commerce – a minimal requirement met when a computer connects to the internet. See, e.g., United States v. Drew, 259 F.R.D. 449, 457 (C.D. Cal. 2009). The statute provides penalties for individuals who obtain information through unauthorized access. “Obtaining information” can mean simply viewing it online without downloading or saving. See America Online, Inc. v. National Health Care Discount, Inc., 121 F. Supp. 2d 1255, 1275 (N.D. Iowa 2000). Violation of this prohibition can be a misdemeanor, but many aggravating factors can apply. If the information is obtained for commercial advantage, for example, the crime is raised to a felony and it can be punishable by a fine, up to five years imprisonment, or both.
Sources have also speculated that the hack could have occurred because the Cardinals kept a list of Luhnow’s passwords from his time at the organization. Whatever the reality may be, hackers allegedly tried a number of these passwords on the Astros system, and one of them worked to access the other team’s data. This story functions as a good reminder to everyone that unique passwords should be used for important accounts like email, bank websites, and of course, scouting reports. Further, passwords should contain numbers, letters, and symbols, and should avoid common dictionary words. Users can have technologically advanced anti-hacking systems, but these are not effective if the password to entry can be easily guessed. Stay tuned to Cyber Law Monitor for updates on this and other cyber security news.