Computer Security – What Your Company Can Learn from Chris Correa
November 3, 2016
When the first IBM PC was released 35 years ago, people probably did not fully comprehend how the realms of technology, intellectual property and the law would ultimately intersect. While this scenario continues to unfold as technology evolves, one recent case highlights the importance of computer security in businesses and organizations.
As an avid Baltimore Orioles fan, I was particularly interested in a case this year that involved former St. Louis Cardinals’ Scouting Director, Chris Correa, who was convicted of hacking into the Houston Astros’ computer system to gain access to baseball scouting analytics and other confidential proprietary information.
Correa’s former boss, Jeff Luhnow, the former Vice President of Scouting and Player Development for the Cardinals, left to become General Manager for the Houston Astros in 2011. Soon after, Correa hacked into Luhnow’s email account at the Astros, by guessing his password. He gained access to the Astros’ intellectual property – primarily scouting and draft data and proprietary analytics of potential players targeted by the Astros.
Correa was eventually caught and sentenced to 46 months in prison and a faces a court order to pay $279,038 in restitution.
This case stood out for several reasons.
1. The typical scenario people would imagine is where the employee leaving a company steals files or intellectual property. In this case, a new hire (Luhnow) is the direct cause for a security breach by a competitor estimated to have caused $1.7 million worth of damage to the Houston Astros. It’s a different narrative than we typically see.
2. There were some raised eyebrows over Correa’s sentence. Almost four years in federal prison for gaining access to baseball stats? While to the lay person that might seem rather excessive, people familiar with the particular statute involved here (a federal statute with a fairly broad reach that has been used to take action against people who exploit technology loopholes) know there’s a pretty strong hammer when it comes to the criminal provisions of the statute—there are available civil remedies as well. Actually, Correa escaped what could have been a heavier sentence.
3. At some point, it was leaked that the Houston Astros were using a secret network called Ground Control through a local newspaper. Once the Astros administration became aware of the leaked information, they followed stringent security protocols, changing the URL for the network and assigning new passwords. The flaw in this approach occurred when they sent this updated information through their existing email system, which Correa already had access to through Luhnow. So for Correa, breaching the new security measures presented no challenge.
What lessons can your company learn from this?
In this case, a competing organization was able to walk in the door to a competitor in the form of a new employee. When companies hire an employee, they need to make sure they are using the best practices for their technological protocols, whether that means assigning a password at random or creating a new system for developing passwords. Since so much data is stored online, companies need to stay abreast of the latest security measures in order to protect themselves from these types of incursions.
Should a company fall victim to this type of incursion, there are civil remedies available to protect itself and strongly address these kinds of attacks.
To learn more about your options, call attorney Geoffrey Washington at 410-986-0850 or email him at firstname.lastname@example.org.