Accessing someone’s computer without authorization is a federal crime under the Computer Fraud and Abuse Act (CFAA). This past week, several news sources have reported that the FBI and Justice Department are investigating executives of the St. Louis Cardinals for allegedly violating the CFAA by hacking into the Houston Astros’ internal computer network. It’s suspected that the Cardinals’ front office were trying to steal the Astros’ player personnel data and other proprietary information. According to the New York Times:
Internal discussions about trades, proprietary statistics and scouting reports were compromised . . . . Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager, who had been a successful and polarizing executive with the Cardinals until 2011.
Investigators told the New York Times that the Cardinals front office “examined a master list of passwords used by Mr. Luhnow and other officials” and then “used those passwords to gain access to the Astros’ network.”
This internal network contained highly valuable information. The New York Times cited a Bloomberg Business article (titled Extreme Moneyball) that described the database as housing the Astros’ “collective baseball knowledge,” which takes a series of variables and weighs them “according to the values determined by the team’s statisticians, physicist, doctors, scouts and coaches.”
Many businesses are now quite familiar with this type of illegal activity—though it may be the first reported case of corporate espionage involving two professional sports team. But the way that the Cardinals’ front office allegedly accessed the Astros’ computer network underscores specific measures that companies should take to address ever-present risks when employees switch teams.
Controlling Passwords. Companies should already be enforcing a password-duration policy that requires employees to change their computer passwords every few months. But this investigation highlights that, during the on-boarding process, companies should prohibit newly-hired employees from recycling passwords that were used to access their former employer’s computer network. Especially when those former employers are direct competitors.
Monitoring Access. Company network administrators should be utilizing the auditing features built into their computer networks’ operating systems. These audits can alert administrators to abnormal file access or log-in patterns that can help uncover suspicious activity. And there should be an open line of communication between these administrators and executives about potentially suspicious activity.
Understanding Value/Liability. Companies need to start fostering a corporate culture where employees understand the value of keeping business information confidential (as well as the potential liability of attempting to use or steal another competitor’s confidential business information). In addition to confidentiality agreements and policies, regular training on what the company expects will go a long way.
Contacting Law Enforcement. Companies should consider whether contacting law enforcement officials makes the most business sense. The Astros contacted authorities after its information was posted on Deadspin, but that was nearly a year ago. Companies can also pursue civil litigation in state or federal courts—where they may be able to receive quicker business relief through an injunction.
These are just a few suggested measures. But the broader point is that companies must remain proactive, vigilant, and creative when it comes to protecting their business information.