On June 16th, the baseball world was rocked. The New York times reported that not only had the F.B.I. made significant progress in their investigation concerning the Astros' hacking scandal, but also, that the St. Louis Cardinals were responsible. If true, it would represent the first known "case of corporate espionage in which a professional sports team has hacked the network of another team."
However we no longer need to qualify that statement with "if true". The Cardinals' chairman, Bill DeWitt, "blamed 'roguish behavior' for the team's involvement in the alleged hacking of the Houston Astros' player personnel database", and predicted that the organization would "emerge stronger than ever." That could not have been further from the truth however, as the situation has only gotten worse. Today, the Cardinals fired their scouting director, Chris Correa, for his role in the scandal.
"Correa has admitted hacking into a Houston Astros database but said it was only to verify that the Astros had stolen proprietary data, according to a source with knowledge of the investigation.
Correa did not leak any Astros data, and is not responsible for additional hacks that the FBI has alleged occurred or leaking any data, said the source."
There are a couple things to digest here. The first is that his excuse simply doesn't matter. Hacking into another team's database is highly illegal, and if convicted Correa could face prison time because of it.
The Computer Fraud and Abuse Act
While this is brand new territory for a sports franchise, there are laws in place that Correa will have to answer to.
In the attached article, Calcaterra notes that even though the act is fairly old in terms of laws that pertain to technology, it does apply here.
"The CFAA is an old law as far as tech laws go. It was developed in 1984, back when Congress was just coming to grips with the fact that computers were the future and that hacking was a potentially serious deal. Of course as Congress tends to do when it doesn't fully understand something, it legislated broadly and somewhat sloppily. The CFAA and its many amendments and revisions -- some wound up into the Patriot Act -- are now vague enough to where it has been used to prosecute people for any computer related crime."
Even with its wide scope, Correa's alleged actions were likely one of the main reasons that the CFAA was created, and appears to fall directly under its language.
(a) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(b) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage
At the very least, it seems that Correa violated 5(a) and 5(b) of the code, and will face charges accordingly.
The other important piece of information from the original statement is that Correa attempted to justify his alleged actions and pin them directly on the Astros. For the moment, assume that Jeff Luhnow and his team did take proprietary information from the Cardinals when he left. That's a matter for the F.B.I., or another organization entirely to handle, not an employee of professional baseball team. If his concerns were legitimate, he should have notified the relevant authorities to handle the situation.
Correa is already backtracking
While it appeared that Correa had admitted to hacking the Astros, his lawyer, Nicholas Williams is denying that claim.
"Mr. Correa denies any illegal conduct. The relevant inquiry should be what information did former St. Louis Cardinals employees steal from the St. Louis Cardinals organization prior to joining the Houston Astros, and who in the Houston Astros organization authorized, consented to, or benefitted from that roguish behavior."
It's obviously Williams' job to defend his client, and do whatever it takes to clear his name, but this is not the way to go about that. The F.B.I. has had complete access to the Astros' database from the start of this investigation, and considering that "subpoenas have been served on the Cardinals and Major League Baseball for electronic correspondence", it's fair to assume they would be able to identify if Houston had committed any wrong doing.
Contrary to Correa's lawyer's statement, his intent in accessing the Astros' network is irrelevant under the law. https://t.co/jajBP5bq3G— Nathaniel Grow (@NathanielGrow) July 2, 2015
What can we expect next?
At the outset of this scandal, the Cardinals maintained that this wouldn't affect their organization in any major way, but the loss of their scouting director is a huge blow. Correa may not have been the one to leak the data publicly, but that unfortunately means that there will likely be other individuals implicated before the conclusion of this investigation.
When the story first leaked, the timeline of these events was unclear, however just a couple days after the New York Times article was released, "The [Houston] Chronicle...learned that the Cardinals had unauthorized access to Astros information, a year earlier than was previously known." In total, there were three breaches to Houston's database, in addition to the eventual leak of internal documents.
The next couple weeks will undoubtedly bring much more information to light, and there is one critical distinction that needs to be made. If other employees were simply aware of the fact that Correa allegedly hacked into the Astros' system, they wouldn't face any criminal charges, as no citizen is obligated to report a crime. However, if other members helped perpetuate the attack, or took steps to cover their tracks, that's an entirely different matter, and could land them in prison with Correa if he's found guilty.
This story is not even close to being over, and Correa's firing is just the latest revelation. There's no getting around the fact that this clouds the Cardinals' organization far more than it already was. Mike Bates penned an excellent article that MLB would need to "drop the hammer on the Cardinals regardless of front office complicity", and it's incredibly relevant today. MLB will probably wait until after the F.B.I. has concluded their investigation to hand out their own punishments, but they must be severe. Once all the facts are known, they could ban individual members for a specific amount of time, or even permanently.
The big takeaway from this recent news is that by firing their scouting director, the Cardinals are admitting guilt, although Correa and his lawyer have seemingly done no such thing. They can no longer hide behind the facade that the hack was executed by one or two of rogue staff members. This was an intentional breach, committed by at least their scouting director (although he didn't occupy that position at the time of the hack), and potentially more.
*Note, as pointed out in the comments section, Correa wasn't in his current position during the time when he allegedly hacked into the Astros database. The article has been amended in areas to reflect that.