Of Greek Gods and Data Breaches

by Thomas Fox

The sorry story of Chris Correa, the St. Louis Cardinal executive convicted of hacking into the Houston Astros computer system expanded last month when Federal Judge Lynn Hughes unsealed details about the extent of the illegal conduct. As reported by David Barron and Jake Kaplan, in Houston Chronicle article entitled “As MLB ruling nears, new details of Cardinals’ hacking of Astros account”, wrote the information included “the hacking of the Astros’ email and player evaluation databases”. The unsealed documents were in Correa’s sentencing report.

There were three general areas of interest by Correa. First “Correa intruded into the Astros’ “Ground Control” database 48 times and accessed the accounts of five Astros employees. For 2 1/2 years, beginning in January 2012, Correa had unfettered access to the e-mail account of Sig Mejdal, the Astros’ director of decision sciences and a former Cardinals employee. Correa worked in St. Louis as an analyst under Mejdal, who came to Houston after the 2011 season with Astros general manager Jeff Luhnow, also a former Cardinals executive. “(Correa) knew what projects the Astros’ analytics department was researching, what concepts were promising and what ideas to avoid,” said one of the documents, signed by Michael Chu, the assistant U.S. attorney who prosecuted the case against Correa. “He had access to everything that Sig Mejdal … read and wrote.””

This information provided details on the “degree to which Correa used information from the Astros to influence the Cardinals’ draft and trade decisions. Prosecutors also noted that several months after his intrusions from March 2013 through June 2014, Correa in December 2014 received a promotion from the Cardinals.” Correa “studied the Astros’ trade notes “at least 14 times” as the July 31 non-waiver trade deadline approached and again before the annual general managers’ meetings and winter meetings the following offseason. “Ultimately, Correa was not intruding to see if the Astros took any information — rather, he was keenly focused on information that coincided with the work he was doing for the Cardinals,” Chu concluded.”

These details included checking into the Astros’ drafting strategy and player evaluations. Correa even went so far as to double check his recommendations for the draft with the Astros information before going to St. Louis brass. The article noted, “Before he proposed an idea, he could quietly check what another analytics-minded organization thought. He also could supplement his own ideas with the ideas of the Astros’ analytics department because he knew what projects the Astros’ analytics department was researching, what concepts they found promising, what ideas they had discarded.”

The second general area of intrusion was around the Astros’ internal email system, including the then Manager Bo Porter and his pitching coach. Finally, and in a delicious tactic Correa would try to use for leniency later, he sought to find information that Correa claimed the Astros illegally obtained from the Cardinals as part of the Astros’ front office staff worked for the Cardinals, including the current Astros’ General Manager.

For all his efforts, Correa was severely punished by Judge Hughes at this sentencing. Hughes accepted the US government’s recommendation in sentencing Correa to 46 months of incarceration and fining him some $300,000. Correa was also banned from Major League Baseball (MLB) for life by Commissioner Rob Manfred. Writing in the New York Times (NYT), in an article entitled Cardinals to Suffer, but Former Executive Bears Brunt in Hacking Case, Tyler Kepner wrote that Correa joins “the dubious company of Pete Rose, the hit king who gambled away his baseball future, and Jenrry Mejia, the former Mets reliever and three-time drug cheat” as the only former baseball professionals banned from the game for life.

Commissioner Manfred leveled a serious penalty on the St. Louis Cardinals as well. Kepner noted, “Manfred also ordered the Cardinals to pay $2 million to the Astros — the maximum fine he was allowed to impose, according to the league — and to give Houston their top two picks in this June’s draft.” Yet Kepner raised the question of whether the Commissioner’s sanction was appropriately severe enough as the Cardinals do not have a first-round pick in next year’s draft so that the Astros’ are actually getting the 56th and 75th pick overall in the draft. While a team does not usually find any future Hall of Famers at such late picks there is another reason why these slots can be valuable to the Astros as “The picks the Astros got on Monday carry literal value, too: the roughly $1.85 million in allotted bonus money that goes with them. That means that Luhnow, who is known for his draft creativity, will have that much more to spend on the draft this June, and the Cardinals will have that much less.”

While there were cries from some baseball executives that the punish was not stringent enough for the fine, noting the Cardinals are worth some $2bn; the Astros publicly supported the Commissioner’s final decision. Ben Reiter, writing in a Sports Illustrated article entitled “As hacking scandal finally ends, Astros satisfied with Cardinals’ penalty”, cited to Giles Kibbe, the Astros’ General Counsel (GC) for the following, “I think the award is a significant award. I don’t think they got off easy by any stretch. This is an unprecedented award by Major League Baseball that sends a clear message about the severity of Mr. Correa’s actions.” Perhaps not surprisingly, Kibbe and the Astros believed the Cardinals organization bore responsibility for Correa’s action, even though Correa apparently acted alone. Reiter said, “Kibbe also expressed his franchise’s view that while the league had appropriately concluded that while Correa had acted alone, the Cardinals still bore some responsibility as his employer and a beneficiary of his crimes. “I think the commissioner made clear in his ruling that it was only Correa—and no one else in the Cardinals’ organization—but that the Cardinals were responsible for his actions,” Kibbe said.”

What are the lessons from this entire affair? Matt Kelly, writing an article in his Radical Compliance blog, entitled “Two Compliance Lessons From Baseball Today”, found two which were the aforementioned corporate responsibility of the Cardinals (i.e. vicarious liability) and access controls, directed at the Astros for allowing the hack in the first place. I would follow Kelly’s first point because of the clear business advantages the Cardinals received from this information and the possibility they could use this advantage for years if they drafted players based upon the Astros’ confidential information. As to his second point, a robust IT security protocol is a must for any business; baseball, international energy concern or solo lawyer.

This is where the Greek gods enter the picture. Apparently the Astros were none the wiser as to Correa’s illegal act until Correa surreptitiously boasted about his hack by leaking it to the online publication Deadspin.com, so they would publish it and humiliate the Astros GM. Reiter reported, “Correa had in the summer of 2014 provided the information to Deadspin.com internal trade discussions that he had hacked from the Astros’ database, embarrassing Houston general manager Jeff Luhnow (a former colleague of Correa’s with the Cardinals) and other executives and forcing them to apologize to the players and teams involved. The irony, as Kibbe admitted, is that if not for the leak, Correa’s intrusion might never have been discovered; only after the information had become public were the Astros spurred go back and determine when their database had been illicitly accessed and what information had been viewed.”

The thing which most offended the Greek gods was hubris and Correa’s story proves once again that as the ancient Greeks learned long ago hubris always get you in the end.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.