It seems almost common these days to read about corporations engaging in blackhat hacking operations to steal data from their rival competitors, but never before have we heard of the same blackhat hacking tactics being used by professional sports league teams.
Earlier this week a story was reported by the New York Times about an FBI investigation into the St. Louis Cardinals Baseball team for an alleged hacking event that took place on the computer database system of the Houston Astros Baseball team sometime in 2013.
The Astros allege that someone working for the Cardinals hacked into a closely guarded database where the Astros kept top secret information about the team’s players. The compromised database system known as “Ground Control” was developed by Jeff Luhnow, a former St. Louis Cardinals executive that developed a similar database system known as “Redbird” for the Cardinals team before leaving to work for the Houston Astros.
Law enforcement investigators say that the hack did not appear to be sophisticated. The intruder just brute forced the “Ground Control” system using passwords that Mr. Luhnow used for the “Redbird” system during his time with the St. Louis Cardinals. They also traced the illegal login activity to an IP address of a St. Louis Cardinals employee’s former residence.
Could it be that the St. Louis Cardinals actually used blackhat hacking efforts to break into the Houston Astros system to gain insider knowledge about the team’s players in hopes to gain a competitive advantage? Or could this be a negative publicity attempt by the Houston Astros towards the St. Louis Cardinals as they are known rival teams.
Without being able to actually analyze the computer that illegally connected to the Astros “Ground Control” system it is hard to prove that somebody working for the St. Louis Cardinals actually did what is alleged. Since the event happened in 2013 it may be hard or impossible to even find the computer that connected to the system that would contain the logs necessary to prove the hacking event was performed by an agent of the St. Louis Cardinals.
It is also possible that an agent working on behalf of the Houston Astros or anybody with a little Internet know-how could proxy their Internet connection through another computer to disguise themselves in order to do something dirty, i.e. using a Cardinals employee’s compromised computer to create a “fake” hacking event in order to create access logs to the “Ground Control” system using Mr. Lunhow’s known log in. Which begs the most obvious question; Why would Mr. Luhnow use the same login on both systems, knowing the sensitivity of the information that was stored in the database systems?
At this point there are a lot of questions that will need to be answered before any judgement can be made. However, one lesson that should be taken from this tale of two rival teams; never use the same log in and password for two systems, and always create hard to guess log in passwords.