WASHINGTON — As FBI agents try to build a case against personnel in the St. Louis Cardinals’ front office who are accused of breaking into the network that housed the Houston Astros’ closely guarded baseball intelligence, they are struggling with one particular aspect of the investigation: determining who, specifically, had his hands on the keyboard.
The investigation is focused on a small group of Cardinals employees who specialize in statistical analysis and computer programming and had access to a computer in a residence near the team’s complex in Jupiter, Fla., during spring training in 2014.
Despite efforts by the intruder or intruders to mask their location, the agents were able to trace at least one of the breaches directly back to that computer. At least four members of the team’s baseball operations staff have hired criminal defense lawyers, according to people briefed on the investigation.
As part of the government’s efforts to determine who might have been operating the computer, federal prosecutors have subpoenaed a wide range of computer information from the Astros, the Cardinals and Major League Baseball. In a sign that the government was still building its case, the Astros received a subpoena in recent months for more information from their network.
Sign Up and Save
Get six months of free digital access to Belleville News-Democrat
If four or five men were working in the residence at one time, electronic forensics alone may not be able to establish whose fingers were on the keyboard.
“To put it simply, investigators are trying to match up the intrusions with the different times that different Cardinals front-office personnel were on the computer,” said one person briefed on the case. “It has been very difficult.”
Another person briefed on the investigation added, “The FBI has some sense of how long different guys were on the computer, but it hasn’t been easy.”
Cardinals executives have denied any knowledge of the hacking, and owner Bill DeWitt Jr. last week said the team was apparently the victim of "roguish behavior." DeWitt and General Manager John Mozeliak said the team was conducting its own investigation, but couldn’t discuss any findings or other details of the probe while the FBI investigation continued.
Whoever gained access to the Astros’ network tried to take some measures used by experienced hackers to disguise their location. But, law enforcement officials said, the intruders were not adept.
“They tried to mask themselves like an experienced hacker and failed,” said a person briefed on the investigation. “It’s clear they weren’t very good at what they were trying to do.”
The inability to properly cover tracks proved to be a significant break for the FBI. When the bureau opened an investigation into the breach last year, agents followed the trail of the intrusion directly to the computer that had been used at the residence in Jupiter.
Whoever gained access to the network is believed to have done so by logging in as Jeff Luhnow, the Astros’ general manager, or Sig Mejdal, whose title is director of decision sciences. Both officials joined the Astros from the Cardinals. The intruder or intruders examined the Cardinals’ network and determined the passwords that Luhnow and Mejdal had used when they were with the Cardinals. Using those passwords, they gained access to the Astros’ network.
The slip-up in masking the location was similar to one that hackers made last year when they broke into Sony Pictures’ networks before the premiere of the film “The Interview,” a comedy about a plot to kill North Korea’s leader, Kim Jong-un. The hackers posted many of Sony’s emails and other internal communications online, embarrassing the company’s executives. While the hackers took many steps to cover their tracks, American cybersecurity officials were able to find an instance in which they did not properly mask their location, enabling President Obama to publicly identify the North Korean government as the culprit and impose sanctions.
As baseball has experienced revolutions in technology and statistics in many ways, it remains relatively unsophisticated in others. Franchises have tried to develop elaborate information-sharing platforms in recent years, but they have increasingly relied on young and inexperienced programmers and analysts, like the ones now under investigation in the Cardinals’ front office.
While paying players exorbitant salaries, teams maintain small budgets for their front offices, often leading to the hiring of analysts and programmers right out of college. Those workers, who are paid significantly less than what they could make at a technology company or a start-up, are often enticed by the opportunity to work in baseball in a front-office position.
Because the technology skills of many scouts, coaches and executives are limited, the analysts and programmers have been given significant leeway in building programs, and until now there has been little pressure to put tight security in place. One team executive said he had not changed his password for his team’s network in three years.
The Cardinals, the Astros and Major League Baseball have said they will not discuss the specifics of the case until the federal investigation is finished. But news of the hacking investigation led to sharp criticism of the Cardinals organization, widely regarded as one of the most successful in professional sports.
The revelation that the Cardinals are under investigation has created one of the first significant challenges faced by Commissioner Rob Manfred since he took office in January.
So far, none of the Cardinals personnel have been put on leave or fired. Manfred is waiting to see whether the federal government brings charges before he decides whether to discipline the Cardinals. Along with suspending or banishing the front-office personnel who may have been behind the intrusion, he would most likely seek to punish the team and could order it to provide financial compensation to the Astros.