America's New Pastime

An article by: David Tan, Chief Technology Officer, CHIPS Technology Group

I grew up loving baseball. I used to watch Yankees games on my 9 inch black and white television before I went to bed, and a day out at the ballpark was about the greatest treat I can remember. I’m not as much of a fan now as I used to be, but it certainly still keeps me interested. It’s called America’s Pastime for good reason. We’ve been playing baseball in America for 150 years, and it’s a game we created and helped make great. Sure it’s had its share of black eyes over the years, but at the end of the day, it’s a great way to spend a day. The success of Major League Baseball has turned it very much into a big business. There is a lot of money at stake – in the forms of attendance and merchandising and TV contracts. That money makes it very cut-throat and competitive. That’s why even Major League Baseball isn’t immune from America’s new Pastime – corporate hacking and data privacy concerns!

In case you missed it, the Department of Justice announced recently that the FBI was investigating the St. Louis Cardinals and charges about whether they hacked into the Houston Astros’ network. That’s right, 2 major league teams acting just like rival businesses (which they are in every sense of the word) and trying to steal corporate secrets. Now I bet you’re wondering why the Astros? Well, if you haven’t been paying attention, the Astros are in first place, have the second best record in baseball and are doing it on a shoestring budget! They are most definitely onto something down there in Houston, and in the ultra-competitive world of MLB, it’s worth trying to find out what that is.

So what exactly happened? In short, the current General Manager of the Astros used to work for the Cardinals. While he was in St. Louis, he setup a network to house all their confidential data. Apparently when he left in 2011 for Houston, he did the same thing. A couple of front office employees from the Cardinals assumed he would use the same methods of storing critical data in his new job, so they set out to access it. How did they get in? They used a list of passwords he has used while in St. Louis! Sure enough, one or more of them worked. This got them access to the systems in 2013. The Astros just recently found out about it, when some of their confidential information made its way onto a sports blog site. I don’t even know where to begin detailing the mistakes the Astros made in this case!

Let me give it a try. I can think of 3 key areas where the Astros were entirely to blame for this breach, and some lessons we can learn from them.

(1) Going from one company to another in the same industry and replicating the same exact network is just begging for your competitor to gain access. If you insist on the same systems being put into place, can you at least make sure the passwords are different! Something to think about if you hire someone away from a competitor and give them carte blanche to setup new systems and processes. Are they simply duplicating what they have in place elsewhere and what type of exposure does that give us from a data security perspective?

(2) The Astros GM left St. Louis in 2011. Cardinals’ personnel gained access to their systems in 2013. What is the first thing that comes to mind when you see that? He wasn’t forced to change passwords in over 2 years. With everything we see and read about the ineffectiveness of passwords and how they lead to so many security problems, it kills me that this can still be causing problems. If you don’t have a secure, robust password policy or some sort of multi-factor authentication in place, stop reading right now and get that done. Go ahead, I’ll wait.

(3) So there was no secure password policy and outsiders were in their network for years without any knowledge. Plus, critical secure data made its way from that network to Deadspin of all places. I guess you could say the Astros were asleep at the wheel. Having absolutely no auditing or review of their internal systems in place is basically like leaving the front door open when you go on vacation. In IT, it’s not enough to have security controls in place (which they didn’t, but still). It’s critical to monitor all systems and services, and audit for best practices on a regular basis. One audit in 4 years would have easily saved the Astros the money and embarrassment caused by this breach.

I tongue in cheek called hacking America’s new pastime. While that probably isn’t the case (mostly because so much hacking is coming from abroad), there’s no denying it’s a growing “industry” and a growing problem. Nobody is immune to it. Every company in every industry needs to continue to take security seriously and to remain diligent. You never know when you’re team is going to be in first place and risk losing a pennant because some executive set his password to the name of his dog!