The New York Times was the first news outlet to report that the FBI is investigating St. Louis Cardinals employees for breaching the Houston Astros' proprietary database and stealing information. That report was last Tuesday even though it feels like ages ago after the wave of hot takes that ignored many of the facts reported by the Times, Wall Street Journal, Houston Chronicle, and others. Michael Schmidt was the Times reporter to initially break the story and he's back at it again this week with another article that includes juicy tidbits from his anonymous law enforcement sources. Before we dig into some of the details, you really should read Schmidt's whole article.
Astros general manager Jeff Luhnow gave an interview with Sports Illustrated last week regarding the hack. In addition to explaining why any stolen data would be of little-to-no use to another big-league club's analytics department, Luhnow also touched on password hygiene. He denied that his own failure to change his password could be to blame for the unauthorized access to the Houston database:
On Wednesday night, the 49-year-old Luhnow commented on the report for the first time in an exclusive interview with SI.com. Luhnow said that he was not permitted to speak about the ongoing investigation—with which he and the Astros are fully cooperating—but he did address other elements of the report.
One was the implication that the hackers had been able to gain access to the Astros’ database—which is called Ground Control and contains scouting and medical reports and statistical projections, among other data—because he had failed to change his old passwords. "That’s absolutely false," said Luhnow, who worked as a technology executive before he began his career in baseball. "I absolutely know about password hygiene and best practices. I’m certainly aware of how important passwords are, as well as of the importance of keeping them updated. A lot of my job in baseball, as it was in high tech, is to make sure that intellectual property is protected. I take that seriously and hold myself and those who work for me to a very high standard."
Schmidt's latest reporting identifies two former St. Louis employees as those whose passwords might have been used to gain access to the Astros' database:
Whoever gained access to the network is believed to have done so by logging in as Jeff Luhnow, the Astros’ general manager, or Sig Mejdal, whose title is director of decision sciences. Both officials joined the Astros from the Cardinals. The intruder or intruders examined the Cardinals’ network and determined the passwords that Mr. Luhnow and Mr. Mejdal had used when they were with the Cardinals. Using those passwords, they gained access to the Astros’ network.
Based on Luhnow's emphatic denial that his password practices could have contributed to the ease with which the hackers gained access to his organization's database, it could be that Mejdal is the best bet. Then again, perhaps Luhnow's categorization of his own password hygiene is incorrect. Or maybe the hackers just got lucky and guessed correctly with respect to the password. If unidentified Houston Chronicle sources are correct in stating that were at least three breaches of Ground Control—one each in 2012, 2013, and 2014—it appears that the hackers either would have had to guess right multiple times or they used the same password over a three-year span.
In Schmidt's initial reporting on the story, he wrote that the accessing of the Astros' database was "not sophisticated." Monday's article provides more details:
Despite efforts by the intruder or intruders to mask their location, the agents were able to trace at least one of the breaches directly back to that computer. At least four members of the team’s baseball operations staff have hired criminal defense lawyers, according to people briefed on the investigation.
Whoever gained access to the Astros’ network tried to take some measures used by experienced hackers to disguise their location. But, law enforcement officials said, the intruders were not adept.
"They tried to mask themselves like an experienced hacker and failed," said a person briefed on the investigation. "It’s clear they weren’t very good at what they were trying to do."
The inability to properly cover tracks proved to be a significant break for the F.B.I. When the bureau opened an investigation into the breach last year, agents followed the trail of the intrusion directly to the computer that had been used at the residence in Jupiter.
The ham-handed attempts to hide their tracks earned the St. Louis personnel a comparison to the North Korean hackers who accessed and stole internal Sony Pictures communications and documents that ultimately led to the cancellation of The Interview, a comedy with the premise of American television types being tasked with assassinating North Korean premier Kim Jong Un. Needless to say, chairman Bill DeWitt Jr. or GM John Mozeliak do not want to see law enforcement officials analogizing their employees' actions to those of the Hermit Kingdom. Yet here we are. This somehow makes the black mark on the Cardinals organization all the darker.
Schmidt's sources did not divulge to him the focus of their investigation, which led to the following caveat in the initial Times piece:
The officials did not say which employees were the focus of the investigation or whether the team’s highest-ranking officials were aware of the hacking or authorized it. The investigation is being led by the F.B.I.’s Houston field office and has progressed to the point that subpoenas have been served on the Cardinals and Major League Baseball for electronic correspondence.
Later, the Wall Street Journal reported that "mid-to-low-level staff" are the focus of the investigation. The Chronicle put the number at five St. Louis front office employees. Schmidt's Monday report echoed this information:
The investigation is focused on a small group of Cardinals employees who specialize in statistical analysis and computer programming and had access to a computer in a residence near the team’s complex in Jupiter, Fla., during spring training in 2014.
If four or five men were working in the residence at one time, electronic forensics alone may not be able to establish whose fingers were on the keyboard.
"To put it simply, investigators are trying to match up the intrusions with the different times that different Cardinals front-office personnel were on the computer," said one person briefed on the case. "It has been very difficult."
Another person briefed on the investigation added, "The F.B.I. has some sense of how long different guys were on the computer, but it hasn’t been easy."
So it appears that the investigation has hit a bump in the road of sorts. Based on the information the F.B.I. has uncovered, they have managed to focus their investigation on four or five individuals working for the St. Louis Cardinals in the areas of statistical analysis and computer programming. But they have been unable to pinpoint the identity of the culprit. At least not yet.