www. NYLJ.com White-Collar Crime Volume 256—NO. 60 Monday, September 26, 2016 Of Redbirds and Rockets: Corporate Espionage and America’s Pastime

By Andrew Garbarino

ith the season about to enter the post- Wseason, perhaps it’s time to revisit an interesting off-the-field legal drama from the 2015 season, namely the corporate espionage case involving two former National League Central rivals. As originally reported in the New

York Times,1 the St. Louis Cardinals PYTEL, ISTOCK RAFAL made news in connection with the alleged hacking of a database owned by the . The attack appears to have been in furtherance of a variety of potential motives: A The FBI conducted an investigation pay $279,038 in restitution.2 Pros- desire to obtain intelligence from into the allegations. ecutors alleged that Correa caused the Astros proprietary “Ground In December 2015, as a result of approximately $1.7 million in loss Control” database, to embarrass Jeff the FBI’s investigation, Christo- to the Astros.3 Luhnow, a former Cardinals execu- pher Correa, then-scouting direc- Let that sink in for a moment. A tive who is now the Astros General tor for the Cardinals, was charged team was , or to determine whether in a five-count indictment for his investigated by federal authorities Luhnow took data or other intel- illegal access of Ground Control. for cybercrimes allegedly commit- lectual property developed by the In January 2016, he pled guilty to ted against another baseball team. Cardinals with him to a competitor. Unauthorized Access to a Protected And someone will be going to jail Computer in connection with the for nearly four years as a result.

Andrew Garbarino is of counsel with Ruskin illegal accessing of the Ground Con- The background of the matter Moscou Faltischek, where he is a member of the health trol database. He was sentenced is fascinating. While he was with care, white-collar crime & investigations and cyberse- curity groups. Law student Corey Morgenstern on July 18, 2016 to 46 months in the Cardinals, Luhnow developed contributed to the article. federal prison and was ordered to a database called “Redbird”. The Monday, September 26, 2016

database was devoted in large part only a discreet number of organi- it could be guarding patient data to advanced baseball analytics zations operate within the sport.4 in light of overwhelming regula- and, through the use of statistical Indeed, Major League Baseball tion; in banking, credit informa- information that was run through teams employ a surprising number tion, account information and it, the Cardinals had great suc- of employees, without even consid- other important items at a time cess in baseball’s amateur draft, ering their minor league affiliates. when hacking scandals are com- which culminated (after Luhnow In an industry like baseball, where monplace; in the mining industry, left for the Astros,) with a World staggeringly high dollar amounts it could include data regarding Series championship in 2013, at are spent on the annual salaries of prospective resource studies and which time more than half of the even mediocre players, the useful- geological surveys that a company ­25-man-roster was comprised of ness of large quantities of informa- spent significant resources obtain- players Luhnow played a role in tion cannot be overstated. When ing. Indeed, no matter the industry, drafting and developing, presum- information has been developed by the failure to secure proprietary ably by way of the statistical analy- a significant competitor, the value information, data and systems can sis provided in part by the Redbird of their closely-guarded information be both devastating and embar- database. becomes almost incalculable from rassing. Companies must actively Despite the success he enjoyed a competitive standpoint. The old consider what information held in St. Louis, Luhnow left the Car- saw that “information is power” is on their systems is most critical dinals on less than cordial terms. nowhere more starkly illustrated to their business and how to best Moreover, when Luhnow left for the than in the talent-vetting of profes- protect that information. Astros, he brought several other sional athletes. The actual motivation aside, Cardinal employees along with him While it may seem difficult to the “hack” in the Cardinals saga and developed the Ground Control relate one’s own work to the man- appears to have been accomplished database, which apparently shares agement of a sports team, the need by relatively low-tech means. Cor- similarities with the Cardinal’s Red- to safeguard both data and propri- rea (and perhaps other Cardinals bird system. There has also been etary information is germane to all employees),5 having access to prior some talk that Luhnow or other for- businesses, regardless of industry. passwords used by the employees mer Cardinal employees may have Protecting lists of vendors (and who defected to the Astros may logged on to the Redbird system associated agreements and con- have simply tried those same or after leaving the Cardinals. They tractual terms), referral sources similar passwords in signing onto may have simply logged in, if the and communications are essential the Ground Control database.6 Cardinals failed to delete old pass- to the well-being of any company. Despite the $1.7 million figure stat- words or otherwise restrict access That safeguarding of proprietary ed by the government at the time to Redbird. data doesn’t even consider the of Correa’s sentence, the true cost Lost in the various news reports vital need to protect customer of the Astros failure to ensure the about the incident is the fact that or employee information, such sanctity of the Ground Control data the two organizations are billion- as Social Security numbers and by not properly vetting passwords dollar companies working in a the like—always prime targets for remains to be seen. multi-billion-dollar industry. As computer-savvy interlopers. The monetary cost of cyberse- with any business, the ability to Specialized industries—like curity is already reaching absurd access data and creative thinking baseball—present more special- heights and in this atmosphere developed and used by competi- ized concerns, in addition to those of seemingly endless software tors is tantalizing—especially when described above. In health care, updates and a constant influx of Monday, September 26, 2016

new products, it is easy to overlook password based on his daughter’s audits and other consequences of a or even disregard the risk of ensur- name and numeric birthdate—it’s­ breach, like governmental scrutiny. ing password security. Even then, just too easy to figure out for the By carefully establishing and those costs pale in comparison to sort of low-tech hacker, with access implementing workplace initiation the financial consequences of an to former passwords. An explicit policies that immediately address actual data breach. expression of the need for safe- cybersecurity, the need to resort to Password security requires a guarding company data should be and rely upon software safeguards degree of effort that cannot simply a foremost concern with any new and, worse yet, breach insurance be passed along to an IT group or employee. coverage, may be avoided. Careful tech vendor. The low-tech aspect In the case of part-time employ- adherence to the human resources of the attack is a useful lesson: ees, it goes without saying that an aspect of cybersecurity can only Cybersecurity does not end upon employee should provide assur- serve to strengthen overall security. software updates, the updating of ances that they are using different hardware and devotion of time and passwords at their different jobs. ••••••••••••••••••••••••••••• resources to audits. In the case of vendors, confirming 1. Tyler Kepner, “Astors’ G.M. Jeff Luhnow that any password-enabled access Delegates With a Drive for Data,” THE NEW Rather, cybersecurity carries a YORK TIMES (June 19, 2015), http://www. major human resources component they are permitted is premised nytimes.com/2015/06/20/sports/baseball/ as well. The prevalence of remote upon unique passwords should be cardinals-scandal-astros-jeff-luhnow-target-of- hacking-was-helped-and-hindered-by-technol- access to company systems makes mandated and in writing. ogy.html?_r=0. the sort of low-tech entry into a The continued sophistication 2. “Christopher Correa, Former Cardi- nals Executive, Sentenced to Four Years target’s systems all the more dan- and even cutting-edge methods of for Hacking Astros’ Database,” THE NEW gerous, as the form of access itself would-be hackers make the world YORK TIMES (July 18, 2016), http://www. nytimes.com/2016/07/19/sports/baseball/ will not trigger any alarm bells. of cybersecurity difficult enough. christopher-correa-a-former-cardinals-exec- These days, employee identifica- However, failing to recognize the utive-sentenced-to-four-years-for-hacking- astros-database.html. tion numbers or email addresses low-tech or even no-tech aspects 3. The loss was calculated in part by and a password are often all that of password protection and ram- accounting for how the Cardinals altered their pant remote access can have far drafting based upon the information that was is needed to access a workplace’s obtained from Ground Control. network. more damaging consequences, as 4. One need only look toward how quickly For that reason, it is critical to the existence of a breach may go the Tom Brady/National Football League “deflategate” case progressed. Incredible assess employee passwords on a unnoticed for a significant amount amounts of money hinge on the performance regular basis. With new employ- of time. As in almost all business of sports teams and athletes. 5. Although only Correa was charged, news ees, they affirmatively should be concerns, effective cybersecurity reports quote Cardinals officials as blaming asked whether they have used should start with effective commu- the conduct on “roguish behavior by a hand- ful of individuals.” their password anywhere before. nication to employees and vendors 6. This report comes from the aforemen- Better yet, they should be asked and not ignore obvious common tioned Times article, though Astros execu- tives have stated emphatically that all former if they have even used a similar sense considerations. Cardinal employee passwords were different password in the past. For example, One of the first tasks upon the hir- than those previously used in St. Louis. an employee using a password ing of a new employee is to create an based upon his son’s name and employee log-in. Regularly address- numeric birthdate, a password ing the cybersecurity aspect of the that has never been used by him new-hire process then, at an easy Reprinted with permission from the September 26, 2016 edition of the NEW YORK in the past, will be dangerous if, at and natural moment, can avoid LAW JOURNAL © 2016 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 his previous employer, he used a dooming the organization to costly or [email protected]. # 070-11-16-16