Last month the country learned about the unauthorized access of the Houston Astros “Ground Control” database, which contained trade talks, proprietary statistics, and scouting reports, by members of the St. Louis Cardinals front office staff.  The incident revolves around Jeff Luhnow, the Astros General Manager since 2011, and a former Cardinals front office executive.  While Luhnow was with the Cardinals he built a similar database, and according to federal investigators the Cardinals used a master list of account names and passwords Luhnow used while with his former team to access his proprietary database at the Astros. 

Too often companies view cybercrimes as only having to deal with consumers’ personal information like Social Security numbers, credit card numbers, health information, and other financial account information.  But this case highlights two very real issues that all companies face when dealing with the protection of proprietary information.

The first issue is that of account and password management, which is the reason the Cardinals were able to access the Astros network.  Here, Luhnow appears to have used the same or a similar username and password to that he used while employed by the Cardinals.  While the unauthorized use of Luhnow’s username and password to gain access to the Astros database is criminal, it nonetheless highlights the importance of proper account and password management, which includes requiring employees to use unique usernames and passwords, and periodically changing them (a best practice is every 90 days).  If a Cardinals employee was able to access Luhnow’s account with an old username and password from his time with the team (which was from at least 2011, if not older), then it proves the Astros were too relaxed in its account and password management which should have required strong passwords, including periodically changing them.           

The second, and perhaps more scary issue to companies, is the issue of corporate espionage, which is a risk companies need to address through strong information security programs.  All companies hold valuable trade secrets and proprietary information, which in the hands of competitors can wreak havoc on a business.  Only by properly identifying your company’s “crown jewels” and then implementing strong technical and organization security controls can you begin to adequately protect this information from ending up with the competition. 

Companies of all sizes and business types need to take data security seriously, and use the latest example of the Astros and Cardinals as a reminder that data security is not just about protecting personal information, but also about protecting trade secrets and other proprietary data from competitors.  Senior executives cannot continue to ignore these risks, and only by taking the first step of beginning to work with legal and technical experts to implement adequate controls can a company begin to protect itself from the cyber threats populating the competitive landscape.