Baseball scouting exec gets 46 months for guessing rival team’s password

Chris Correa, former scouting director for the professional US baseball team St. Louis Cardinals, on Monday was sentenced to nearly four years in prison for hacking a competing Major League Baseball team’s player-personnel database and email system.

In January, Correa pleaded guilty to five counts of computer hacking under the Computer Fraud and Abuse Act (CFAA) hacking statute.

Correa started working for the Cardinals in 2009 and was fired a year ago after he admitted to accessing the Astros’ database from 2013 to at least 2014.

ESPN reports that that’s the same year Correa was promoted to director of baseball development in St. Louis.

He’s looking at 46 months behind bars and a court order to pay $279,038 in restitution. It could have been worse: Correa could have been handed up to five years’ jail time on each count, though maximum sentences are rarely handed out.

According to ESPN, Correa read a letter in court before being sentenced by US District Court Judge Lynn Hughes, in Houston.

He told the court that he was “overwhelmed with remorse and regret for my actions.”

I violated my values and it was wrong … I behaved shamefully. The whole episode represents the worst thing I’ve done in my life by far.

The actions he’s regretting didn’t exactly constitute what you’d call sophisticated hacking.

Rather, it involved guessing at the passwords Astros General Manager Jeff Luhnow used when he worked overseeing drafts for the Cardinals, which he never bothered to change when he got hired as general manager for the Astros.

When Luhnow went on to leave the Cardinals, he handed over his work-issued laptop to Correa.

That allowed Correa to get at his ex-employee’s password for the Astros’ private, online database, called Ground Control, as well as access to Luhnow’s Astros-issued email account.

Luhnow, unfortunately, made it easy for Correa: while at the Cardinals, he was using a variant of the password he used while he worked for the Astros.

As we’ve explained, a reused password can effectively become a skeleton key to your whole online life.

We don’t know what password/password variant was at the heart of this baseball-centric series of database break-ins. But we do know the right way to pick a proper password: here’s a short, sweet video that shows you how.

The lack of a strong password is what enabled Correa to gain unauthorized access to an internal network of the Houston Astros and enabled the theft of closely guarded information about players, including internal discussions about trades, proprietary statistics and scouting reports.

In short, this is a case of corporate espionage.

Even if your password is “Password,” that doesn’t make it right, or even remotely legal, for somebody to break into your accounts.

Still, this is yet another example of how weak passwords have no place anywhere in an organization that has trade secrets to protect.

The same goes for individuals who have personal and financial data to protect: in short, all of us!