S4 | MONDAY, SEPTEMBER 26, 2016 | White-Collar Crime | NYLJ.COM
Of Redbirds and Rockets:
Corporate Espionage and America’s Pastime
BY ANDREW GARBARINO
W ith the baseball season about to enter the postseason, perhaps it’s time to revisit an interesting off-the-field legal
drama from the 2015 season, namely the cor- porate espionage case involving two former National League Central rivals.
As originally reported in the New York Times,1 the St. Louis Cardinals made news in connection with the alleged hacking of a database owned by the Houston Astros. The attack appears to have been in furtherance of a variety of potential motives: A desire to obtain intelligence from the Astros proprietary “Ground Control” database, to embarrass Jeff Luhnow, a former Cardinals executive who is now the Astros General Manager, or to deter- mine whether Luhnow took data or other intel- lectual property developed by the Cardinals with him to a competitor. The FBI conducted an investigation into the allegations.
ANDREW GARBARINO is of counsel with Ruskin Moscou Faltischek, where he is a member of the health care, white-collar crime & investigations and cybersecurity groups. Law student COREY MORGENSTERN contrib- uted to the article.
In December 2015, as a result of the FBI’s investigation, Christopher Correa, then-scout- ing director for the Cardinals, was charged in a five-count indictment for his illegal access of Ground Control. In January 2016, he pled guilty to Unauthorized Access to a Protect- ed Computer in connection with the illegal accessing of the Ground Control database. He was sentenced on July 18, 2016 to 46 months in federal prison and was ordered to pay $279,038 in restitution.2 Prosecutors alleged that Correa caused approximately $1.7 million in loss to the Astros.3
Let that sink in for a moment. A Major League Baseball team was investigated by federal authorities for cybercrimes allegedly committed against another baseball team. And someone will be going to jail for nearly four years as a result.
The background of the matter is fascinat- ing. While he was with the Cardinals, Luh- now developed a database called “Redbird”. The database was devoted in large part to advanced baseball analytics and, through the use of statistical information that was run through it, the Cardinals had great success in baseball’s amateur draft, which culminat- ed (after Luhnow left for the Astros,) with a World Series championship in 2013, at which time more than half of the 25-man-roster was
comprised of players Luhnow played a role in drafting and developing, presumably by way of the statistical analysis provided in part by the Redbird database.
Despite the success he enjoyed in St. Louis, Luhnow left the Cardinals on less than cordial terms. Moreover, when Luhnow left for the Astros, he brought several other Cardinal employees along with him and developed the Ground Control database, which appar- ently shares similarities with the Cardinal’s Redbird system. There has also been some talk that Luhnow or other former Cardinal employees may have logged on to the Redbird system after leaving the Cardinals. They may have simply logged in, if the Cardinals failed to delete old passwords or otherwise restrict access to Redbird.
Lost in the various news reports about the incident is the fact that the two organiza- tions are billion-dollar companies working in a multi-billion-dollar industry. As with any busi- ness, the ability to access data and creative thinking developed and used by competitors is tantalizing—especially when only a discreet number of organizations operate within the sport.4 Indeed, Major League Baseball teams employ a surprising number of employees, without even considering their minor league affiliates. In an industry like baseball, where
staggeringly high dollar amounts are spent on the annual salaries of even mediocre players, the usefulness of large quantities of informa- tion cannot be overstated. When information has been developed by a significant competi- tor, the value of their closely-guarded infor- mation becomes almost incalculable from a competitive standpoint. The old saw that “information is power” is nowhere more starkly illustrated than in the talent-vetting of professional athletes.
While it may seem difficult to relate one’s own work to the management of a sports team, the need to safeguard both data and proprietary information is germane to all businesses, regardless of industry. Protecting lists of vendors (and associated agreements and contractual terms), referral sources and communications are essential to the well- being of any company. That safeguarding of proprietary data doesn’t even consider the vital need to protect customer or employee information, such as Social Security num- bers and the like—always prime targets for computer-savvy interlopers.
Specialized industries—like baseball— present more specialized concerns, in addi- tion to those described above. In health care, it could be guarding patient data in light of overwhelming regulation; in banking, credit information, account information and other important items at a time when hacking scan- dals are commonplace; in the mining industry, it could include data regarding prospective resource studies and geological surveys that a company spent significant resources obtain- ing. Indeed, no matter the industry, the failure to secure proprietary information, data and systems can be both devastating and embar- rassing. Companies must actively consider what information held on their systems is most critical to their business and how to best protect that information.
The actual motivation aside, the “hack” in the Cardinals saga appears to have been accomplished by relatively low-tech means. Correa (and perhaps other Cardinals employ- ees),5 having access to prior passwords used by the employees who defected to the Astros may have simply tried those same or simi- lar passwords in signing onto the Ground Control database.6 Despite the $1.7 million figure stated by the government at the time of Correa’s sentence, the true cost of the Astros failure to ensure the sanctity of the Ground Control data by not properly vetting passwords remains to be seen.
The monetary cost of cybersecurity is already reaching absurd heights and in this atmosphere of seemingly endless software updates and a constant influx of new prod- ucts, it is easy to overlook or even disregard the risk of ensuring password security. Even then, those costs pale in comparison to the financial consequences of an actual data breach.
RAFAL PYTEL, ISTOCK