Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
FBI Investigates Baseball Hack AttackLegal Expert Says 'Unauthorized Access' Could Be Prosecuted
The FBI and Justice Department prosecutors are probing a 2014 hack attack that allegedly stole sensitive, internal information by hacking into databases run by the Houston Astros professional baseball team. The attack was allegedly launched by the rival St. Louis Cardinals baseball franchise.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The existence of the investigation was first reported by The New York Times, which says that the Cardinals and the Major League Baseball organization have been served with related subpoenas. Citing officials with knowledge of the investigation who spoke on condition of anonymity, the report adds that the ongoing investigation centers on the breach of special databases built by the Astros, which include private discussions of player trades, confidential statistics as well as reports from scouts seeking new talent.
The FBI declined to confirm or deny if it has a related investigation under way. But a spokeswoman tells Information Security Media Group: "The FBI aggressively investigates all potential threats to public and private sector systems. Once our investigations are complete, we pursue all appropriate avenues to hold accountable those who pose a threat in cyberspace."
Some commentators have suggested that if the alleged hack occurred, it may be considered little more than a prank. But one leading cybercrime legal expert has dismissed that analysis, saying that under federal computer-crime law, any unauthorized access to another system can potentially lead to prosecution.
The existence of the investigation was confirmed June 16 by Major League Baseball officials, who said in a statement that they have "fully cooperated with the federal investigation into the illegal breach of the Astros' baseball operations database," and that they are now awaiting the results of that investigation. "Once the investigative process has been completed by federal law enforcement officials, we will evaluate the next steps and will make decisions promptly."
"The St. Louis Cardinals are aware of the investigation into the security breach of the Houston Astros' database," the Cardinals organization says in a June 16 statement. "The team has fully cooperated with the investigation and will continue to do so. Given that this is an ongoing federal investigation, it is not appropriate for us to comment further."
In recent decades, the Cardinals have become one of the most successful franchises in baseball history. Competing in Major League Baseball's National League, the Cardinals are second only to the New York Yankees in the number of World Series championships they have won. It's not clear what benefit the Cardinals might have gained via the alleged hack of the Houston Astros franchise. While the Astros are now part of MLB's American League, until 2013 they competed in the National League, meaning they would have been more direct rivals of the Cardinals.
But U.S. officials believe the hack may have been executed by vengeful front-office Cardinals employees against Jeff Luhnow, the Astros' general manager, who left the Cardinals in 2011, the Times reports. "According to reports, exploitation of the Astros operations database was not the result of a sophisticated industrial espionage intrusion operation," threat-intelligence firm iSight Partners says in a research note. "Rather, it appears to have been facilitated by Astros General Manager Jeff Luhnow's password reuse - the perpetrator reportedly had access to a master list of passwords Mr. Luhnow used in his previous employment with the Cardinals."
It's also not clear if the FBI investigation centers on the previously reported 2014 Astros data leak, in which 10 months of Astros' internal trade talks - contained in a "Ground Control" database that the organization built from scratch in 2012 - were dumped to the anonymous text-sharing site Anonbin.
If the Cardinals did hack the Astros, that might not be a criminal offense, argues legal analyst Lester Munson, a Northwestern University Medill School of Journalism instructor who writes for the website of sports channel ESPN.
"It's certainly ethically questionable, but whether it is a crime is far less certain," says Munson, who is a lawyer licensed to practice in Illinois. "For a federal prosecutor to charge Cardinals executives with 'unauthorized access' to computer information or theft of proprietary, non-public information, the prosecutor must be able to show that the information was the work product of significant efforts by Astros officials and, more importantly, [the information] was not available elsewhere," as well as that the alleged hackers knew what they were doing was a crime. And in the past, he says - for example in steroids-related investigations - "federal courts were not interested in what many in MLB thought was serious cheating."
While that may appear to be a nuanced reaction to a professional sporting body's internal troubles - a truly "inside baseball" affair - many information security experts say that when it comes to computer crime, federal prosecutors tend to go overboard and seek harsh sentences that are often disproportionate to the actual crime that has been committed (see The Myth of Cybercrime Deterrence).
Cybercrime Expert: Allegations Suggest Crime
Orin Kerr, a professor of law at the George Washington University who specializes in computer crime laws, disagrees with many of Munson's legal assertions. "If the basic allegations are true, the hack was clearly a crime. The only question is how serious a crime it was," he writes in his Washington Post blog.
Kerr says the federal law that most obviously would apply - if the hacking allegations are true - would be 18 U.S.C. 1030(a)(2) - "Fraud and related activity in connection with computers" - which deals with unauthorized access to information:
Whoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer ... shall be punished as provided in subsection (c) of this section."There is no requirement that the information be 'proprietary, non-public' information, or that it is 'the work product of significant efforts by Astros officials . . . not available elsewhere.' The statute is clear: The information just needs to be, well, 'information.' Any information of any kind will do," Kerr says. "Yes, the information has to be from a 'protected computer.' But pretty much everything with a microchip is a 'protected computer,' and obviously a computer connected to the Internet counts as one."
Violating that statute, however, is a misdemeanor, and federal investigators rarely bother with misdemeanors, he says. Still, the alleged hack attack could be classified as a felony if "the offense was committed for purposes of commercial advantage or private financial gain" or if the value of the information obtained was greater than $5,000, he says.