Cyberball: Major League Baseball and Information Security

Photo illustration digital baseball by Thursday Review

Photo illustration by Thursday Review

Cyberball: Major League Baseball and Information Security
| published July 4, 2015 |

By Kevin Robbie Thursday Review contributor

Professional sports teams are constantly searching for a competitive advantage over their counterparts. Sometimes this has involved dubious methods and the tools of trickery and spycraft: opposing teams secretly videotaping team practices, managers hiring lip-readers to translate conversations between coaches, and even—as it has been alleged—paying people on the inside to change the metrics of the game (think of the recent accusation that New England Patriots’ staffers deliberately deflated game balls in order to give quarterback Tom Brady a slight advantage in critical NFL playoff games).

Major League Baseball is no different. In this “new” age of sabermetrics, big-league teams create and mine huge amounts of data on players in order to find the next star or diamond-in-the rough who might have been overlooked by other teams. Prior to the trade deadline on July 31st, teams use the data to acquire players who may help them in their quest for a championship. Sabermetrics is the empirical analysis of baseball records and data, especially that data gathered based on in-game activities. Front offices utilize the data as a tool in order to form insights and opinions in making player personnel decisions involving trades, free agent signings and the MLB draft.

The collection and storing of such valuable information is only part of the process. Protection of the data is important as well. Information stored in the files of a major league baseball team front office is considered proprietary information. It can be accessed only by certain individuals in the front office and only when it is needed for analysis or distribution to other parties, at least that’s the theory. It is the job of the general manager to oversee the front office and make sure it functions smoothly. The general manager is, typically, the person who also makes decisions regarding the acquisition, scouting and drafting of players.

Among the major sports, baseball was late in embracing the technological revolution but has now done so with alacrity. Front offices place a premium on persons who are adept at acquiring and analyzing the relevant data. They have recently realized that using the data doesn’t mean much if it isn’t protected from prying eyes.

Technology—and the competitive world of sports analytics—is the basis for a federal investigation currently underway involving the St. Louis Cardinals, one of baseball’s most respected organizations. The Cardinals organization, primarily the front office, is being investigated for multiple hacking incidents involving “Ground Control,” the database of the Houston Astros. The investigation is in the hands of the FBI and is focused on a small group of former Cardinals’ employees. The former employees, whose names have not been released, were hired to perform statistical analysis and computer programming tasks. The most recent incident, from 2014, has been traced to a single computer that was located in a house in Jupiter, Florida—site of the Cardinals spring training.

Investigators are trying to determine whose fingers were actually on the keyboard (as of this writing, the Cardinals have dismissed Chris Correa, the person investigators believe was primarily responsible for the data theft). The parties involved attempted to disguise themselves as serious hackers but were unsuccessful in doing so. Investigators have described the incident as “unsophisticated.” The hackers might have had an easy path to gain access, however. Jeff Luhnow, the Astros general manager, was once employed by the Cardinals front office for his Sabermetric abilities. The hackers may have used educated guesses to select the proper password as it appears the passwords were never updated when Luhnow left to work for the Astros. In addition, the Astros cyber-security was described as “below industry standards,” so the hacker’s job would have been that much easier. When the Astros discovered the breach, they notified MLB security and the FBI. The information accessed primarily involved notes on trade discussions and player evaluations from scouts.

Regardless of the results of the federal investigation, this case will set a precedent for Major League Baseball as it is the first (known or reported) hacking incident involving MLB teams. The act of hacking is, by itself, a federal crime. There is also the issue of potential legal damages apart from the hacking itself. If the Astros were to seek compensation, they might have difficulty showing additional damages because they would need to prove that the Cardinals gained a competitive advantage through use of the information. Ironically, the biggest damage may accrue to the St. Louis Cardinals. The Cardinals brand is highly visible and popular. The organization is well-respected in baseball circles and the Cards’ are consistently successful on the field. At this early stage, though, the damage to the Cardinals appears to be minimal. Their primary revenue streams, fans in the seats and TV, are still strong and their sponsors are standing by them. It remains to be seen what damage, if any, was incurred by the Astros.

This hacking issue represents the first serious, baseball-wide legal matter confronted by new Commissioner of Baseball, Rob Manfred. Under the rules of MLB, the Astros cannot take legal action against the Cardinals directly. The matter would be dealt with by the commissioner’s office, which has the authority to levy fines against any major league franchise for breaches of MLB rules. Fines are currently capped at $2 million. However, MLB rules do not preclude any punishment that could be handed down by the legal system. The federal investigation is still in its early stages so it is premature to speculate on any legal outcome or speculate on actions to be taken by MLB. One immediate result of this incident is that all MLB teams have begun seriously upgrading their information security. It must also be pointed out that at this stage the St. Louis Cardinals as an organization have not been found guilty or liable for any wrongdoing. A point of defense for the Cardinals may arise if investigators discover the hacking was done without the knowledge of the employees’ superiors. The individuals under investigation have hired attorneys.

As the field of analytics is relatively new, this incident also raises questions of ethical guidelines and professional standards in the realm of cyber technology. It is a wake-up call not only for professional sports teams but for any industry reliant on computers to analyze and protect sensitive data. In other words, nearly every industry. Once this matter is resolved legally and within Major League Baseball, we may see MLB develop clearer standards and even require certification for analytics personnel. Then, everyone involved would know what level of expertise was expected and they would understand the parameters of whatever ethical guidelines were emplaced.

Major League Baseball, the Houston Astros and the St. Louis Cardinals have declined commenting publicly on details of this matter until the conclusion of the federal investigation. This week, the Cardinals fired Correa, a scouting director who investigators believe may have been responsible for the cyber theft.

Related Thursday Review articles:

Baseball park Intimacy: Risk Vs Reward for Fans; Kevin Robbie; Thursday Review; July 2, 2015.

Baseball's Shifting Future; Kevin Robbie; Thursday Review; April 20, 2015.