The St. Louis Cardinals said Tuesday they are cooperating with an investigation by FBI and Justice Department prosecutors into allegations the team hacked into the internal networks of the Houston Astros.
The New York Times report indicated the Cardinals front-office personnel were trying to steal closely guarded information about player personnel. Legal experts told the Washington Post that those employees could face prison time if convicted of computer espionage.
In a statement Tuesday, the Cardinals said:
“The St. Louis Cardinals are aware of the investigation into the security breach of the Houston Astros’ database. The team has fully cooperated with the investigation and will continue to do so. Given that this is an ongoing federal investigation, it is not appropriate for us to comment further.”
Investigators have uncovered evidence that Cardinals officials broke into a network of the Astros that housed special databases the team had built, according to law enforcement officials. Internal discussions about trades, proprietary statistics and scouting reports were compromised, the officials said.
The officials did not say which employees were the focus of the investigation or whether the team’s highest-ranking officials were aware of the hacking or authorized it. The investigation is being led by the F.B.I.’s Houston field office and has progressed to the point that subpoenas have been served on the Cardinals and Major League Baseball for electronic correspondence.
Cardinals manager Mike Matheny said the news did not pose a distraction for his team, which has the best record in baseball at 43-21.
“I think once we have more information, I think then we’d be maybe a little more likely to have a distraction,” Matheny said before an afternoon home game with Minnesota. “Right now, it’s that thing that’s out there that none of us know too much about. So it’s not in the way of what we have to do.”
Matheny’s counterpart with the Astros, A.J. Hinch, also said his team would focus on baseball. Houston held a two-game lead atop the American League West entering the day.
“Obviously from the baseball perspective we’ll deal with the baseball and all other questions will go elsewhere,” Hinch said.
The Associated Press reported that Houston General Manager Jeff Luhnow was not made available to reporters in Houston on Tuesday, but he said in June 2014 that the team had been the victim of hackers who accessed servers and published months of internal trade talks on the Internet.
“It was an illegal activity and we’re going to pursue it and try and find out who did it and prosecute,” Luhnow said at the time, noting that the team was working with the FBI and Major League Baseball security to determine who was responsible for the breach.
The Astros rely heavily on sabermetrics in their evaluation of players and have been open about the fact that they use an online database to house their proprietary information. Luhnow has said other teams store data about players and trades online.
“One of the things I have been talking to my counterparts about with other clubs is recommending that everybody take a look at their own security systems and make sure they don’t get hacked the way that we were,” he said last year. “Because this definitely was an illegal activity.”
The Post report said Cardinals employees could face prison time if they accessed the Astros’ system without permission, as investigators believe, because that would be an infraction of federal law.
The report cited the Computer Fraud and Abuse Act, a 1986 law that made it a federal crime to obtain information from a computer without authorization. The law applies both to sophisticated hacking attempts and simpler breaches, such as the password-testing methods Cardinals employees allegedly deployed to crack into Luhnow’s system.
“This is classic corporate espionage . . . If true, it clearly violates the law,” said Alexander Southwell, a former federal prosecutor and co-chair of the privacy, cybersecurity and consumer protection practice at Gibson Dunn & Crutcher law firm.
The law doesn’t differentiate between a Chinese national trying to steal design schematics from American aerospace companies, or a Cardinals employee wanting to find out what Astros scouts think of their team’s young prospects and whom they’d be willing to trade.
“There’s healthy competition between teams,” former federal prosecutor Michael Wildes told the Post. “When someone physically extracts proprietary intelligence that’s not transparently available to the public, that’s a crime.”
The attack represents the first known case of corporate espionage in which a professional sports team has hacked the network of another team. Illegal intrusions into companies’ networks have become commonplace, but it is generally conducted by hackers operating in foreign countries, like Russia and China, who steal large tranches of data or trade secrets for military equipment and electronics.
Major League Baseball “has been aware of and has fully cooperated with the federal investigation into the illegal breach of the Astros’ baseball operations database,” a spokesman for baseball’s commissioner, Rob Manfred, said in a written statement.
The Cardinals officials under investigation have not been put on leave, suspended or fired. The commissioner’s office is likely to wait until the conclusion of the government’s investigation to determine whether to take disciplinary action against the officials or the team.
In the Post report, Southwell said the factors that could determine possible sentence length are the value of the information stolen, and what Cardinals employees did with it.
“It’s too early to tell whether they took information that was helpful in games, or whether they destroyed information in an attempt at sabotage, or if they just accessed it for some prurient interests,” Southwell said. “If they haven’t actually done anything with the data, it’s just a breach of security. Those typically don’t have long prison sentences.”
The case is a rare mark of ignominy for the Cardinals, one of the sport’s most revered and popular organizations. The team regularly commands outsize television ratings and has reached the National League Championship Series nine times since 2000. The Cardinals, who last won the World Series in 2011, have 11 titles over all, second only to the Yankees.
Their owner, Bill DeWitt, is a highly regarded executive who last year was in charge of the search committee for a new commissioner to replace the retiring Bud Selig.
Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Luhnow, the Astros’ general manager who had been a successful and polarizing executive with the Cardinals until 2011.
From 1994 to 2012, the Astros and the Cardinals were division rivals, in the National League. For a part of that time, Luhnow was a Cardinals executive, primarily handling scouting and player development. One of many innovative thinkers drawn to the sport by the “Moneyball” phenomenon, he was credited with building baseball’s best minor league system, as well as drafting several players who would become linchpins of the Cardinals’ 2011 World Series-winning team.
The Astros hired Luhnow as general manager in December 2011, and he quickly began applying his unconventional approach to running a baseball team. In an exploration of the team’s radical transformation, Bloomberg Business called it “a project unlike anything baseball has seen before.”
Under Luhnow, the Astros have accomplished a striking turnaround; they are in first place in the American League West division. But in 2013, before their revival at the major league level, their internal deliberations about statistics and players were compromised, law enforcement officials said.
The intrusion did not appear to be sophisticated, the law enforcement officials said. When Luhnow was with the Cardinals, the organization built a computer network, called Redbird, to house all of their baseball operations information — including scouting reports and player personnel information. After leaving to join the Astros, and bringing some front-office personnel with him from the Cardinals, Houston created a similar program known as Ground Control.
Ground Control contained the Astros’ “collective baseball knowledge,” according to a Bloomberg Business article published last year. The program took a series of variables and “weights them according to the values determined by the team’s statisticians, physicist, doctors, scouts and coaches,” the article said.
Investigators believe Cardinals officials, concerned Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.
Last year, some of the information was posted anonymously online, according to an article on Deadspin. Among the details that were exposed were trade discussions that the Astros had with other teams. Luhnow was asked at the time whether the breach would affect how he dealt with other teams. “Today I used a pencil and paper in all my conversations,” he said.
Believing that the Astros’ network had been compromised by a rogue hacker, Major League Baseball notified the F.B.I., and the authorities in Houston opened an investigation. Agents soon found that the Astros’ network had been entered from a computer at a home that some Cardinals officials had lived in. The agents then turned their attention to the team’s front office.
What: The website Deadspin reported last year that the Astros’ database had been breached, Major League Baseball notified the FBI, according to the report. The FBI launched an investigation that traced at least some of the leaks to employees of the Cardinals.
How it happened: The theory is that some St. Louis officials were concerned that Jeff Luhnow, the former Cardinals executive hired by the Astros as general manager after the 2011 season, might have taken confidential information with him to Houston. According to the report, the Cardinals checked the passwords Luhnow — and other former St. Louis employees who had joined him in Houston — had used with the Cardinals, then used some of those passwords to break into the Astros’ computer system.