Updated on August 9, 2016 by UpGuard
Sports is big business, and where money and competition collide—laws will be broken. This aptly describes the latest hack involving the St. Louis Cardinals and Houston Astros, though admittedly—it sounds more like a teaser for a Hollywood blockbuster. Corporate espionage in sports has largely been a nascent phenomenon but will soon become commonplace as intrusion methods grow in sophistication and data moves into the cloud.
So a message to the Warriors: enjoy your victory, but ramp up your data security efforts. In a world of rising threats, the winners always have the best security.
For the uninitiated, a bit of backstory around the Houston Astros and St. Louis Cardinals: the two teams were longstanding National League division rivals from from 1994 to 2012. During most of that time, Jeff Luhnow— the Astros’ current general manager—served as a high-flying Cardinals executive responsible for scouting and player development. He is credited for introducing many bleeding edge Sabermetric-like techniques into the organization, and indeed—his statistics and data-driven recruiting methods were instrumental to the Cardinals’ 2011 World Series win. Luhnow currently finds himself amidst a whirlwind of inquiries regarding the breach, including whether or not he continued to use the same passwords after leaving St. Louis:
"I absolutely know about password hygiene and best practices. I'm certainly aware of how important passwords are, as well as of the importance of keeping them updated. A lot of my job in baseball, as it was in high-tech, is to make sure that intellectual property is protected. I take that seriously and hold myself and those who work for me to a very high standard."
Whatever the case, hackers were ostensibly targeting Ground Control—a web application and database commissioned by Luhnow to house internal trade discussions, proprietary statistics, and scouting reports, among other things. Developed shortly after Luhnow’s arrival in Houston, the application/database—as part of the new general manager’s turnaround efforts—was instrumental in transforming the Astros from the worst team in the league to the leading team in their division. Shortly after the breach, a volume of private Astros trade conversations—10 months worth—was posted to a public website.
Many of the top MLB teams have their own versions of Ground Control. And like Ground Control, these applications and databases are easily accessible online—making it convenient for executives to access up-to-date player statistics and trading information. Recent trends in cybercrime show a drastic rise in data breaches carried out for commercial gains, and Major League Baseball is by all measures a commercial enterprise: its current worth estimated at $36 billion, with each team’s average value at $1.2 billion. Clearly, opportunities abound for black hat hackers intent on giving their home teams an extra advantage. And basketball is no different: even before the win, Golden State was valued at $1.3 billion. And the NFL? Worth more than the MLB and NBA combined. Similar Sabermetric-like systems and analytics also inform sports management decision-making in basketball and football and are no less susceptible to data theft.
In light of these events, MLB teams are scrambling to re-evaluate and bolster their own security architectures. Regardless of whether data breaches occur due to negligence or advanced persistent threats (APT) coming out of left field, constant validation of one’s IT security and control mechanisms is critical to ensuring that intellectual property is properly safeguarded. To this end, UpGuard gives organizations continuous security monitoring and assessment capabilities for maintaining a strong security posture.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.