As we previously reported, the FBI has been investigating the St. Louis Cardinals for hacking into the Houston Astros’ internal computer network and stealing proprietary information, including internal discussions about trades, proprietary statistics, and scouting reports. The investigation has now concluded, the Cardinals’ former director of baseball development, Chris Correa, pleaded guilty to five counts of unauthorized access of a protected computer in January, and he has now been sentenced to 46 months in federal prison. He also must pay $279,038 in restitution. According to NPR, “U.S. District Judge Lynn Hughes, as she sentenced Correa, noted that the crime has resulted in stricter security at other baseball teams, according to a press release from the Justice Department. When Correa apologized and called his actions ‘reckless,’ [Judge] Hughes replied, ‘No, you intentionally and knowingly did these acts.’”
As the Department of Justice reported at the time of Correa’s plea:
The plea agreement details a selection of instances in which Correa unlawfully accessed the Astros’ computers. For example, during 2013, he was able to access scout rankings of every player eligible for the draft. He also viewed, among other things, an Astros weekly digest page which described the performance and injuries of prospects who the Astros were considering, and a regional scout’s estimates of prospects’ peak rise and the bonus he proposed be offered. He also viewed the team’s scouting crosscheck page, which listed prospects seen by higher level scouts. During the June 2013 amateur draft, he intruded into that account again and viewed information on players who had not yet been drafted as well as several players drafted by the Astros and other teams.
Correa later intruded into that account during the July 31, 2013, trade deadline and viewed notes of Astros’ trade discussions with other teams.
Another set of intrusions occurred in March 2014. The Astros reacted by implementing security precautions to include the actual Ground Control website address (URL) and required all users to change their passwords to more complex passwords. The team also reset all Ground Control passwords to a more complex default password and quickly e mailed the new default password and the new URL to all Ground Control users.
Shortly thereafter, Correa illegally accessed the aforementioned person’s e mail account and found the e mails that contained Ground Control’s new URL and the newly-reset password for all users. A few minutes later, Correa used this information to access another person’s Ground Control account without authorization. There, he viewed a total of 118 webpages including lists ranking the players whom Astros scouts desired in the upcoming draft, summaries of scouting evaluations and summaries of college players identified by the Astros’ analytics department as top performers.
On two more occasions, he again illicitly accessed that account and viewed confidential information such as projects the analytics department was researching, notes of Astros’ trade discussions with other Major League Baseball teams and reports of players in the Astros’ system and their development.
The parties agreed that Correa masked his identity, his location and the type of device that he used, and that the total intended loss for all of the intrusions is approximately $1.7 million.
Michael McCann provides a good analysis of the sentence for Sports Illustrated and describes potential penalties Major League Baseball may pursue against the Cardinals.