Houston Astros Hack Exposes Poor Cyber Security Practices

Doping allegations, illegal gambling, and other attempts to game the system and give a player or a team an edge have long plagued the professional sports world. Now, the cheating has gone cyber. Chris Correa, a former executive with the Saint Louis Cardinals MLB team, has been sentenced to nearly four years in prison for hacking into the Houston Astros’ database and stealing confidential information that could have given the Cardinals an unfair advantage. It is unclear how many other Cardinals employees – if any – were aware of the Houston Astros hack, and the MLB is looking into taking action against the team as a whole.

However, whether or not the MLB decides to sanction the Cardinals, the Astros need to clean up their cyber security act, and other organizations should take heed of the mistakes the team made.

How Did the Houston Astros Hack Happen?

The Houston Astros hack could have been prevented if the team had simple proactive cyber security practices in place; don't make the same mistakes!

Although it involved the glamorous world of professional sports, the Houston Astros hack was just like most other data breaches. It happened not because a hacker found a “backdoor” into the system but through the use of stolen login credentials. Many times, these credentials are stolen via a phishing scheme, but Correa didn’t have to bother with putting one together; in fact, he may not have possessed the technical prowess to launch a phishing scheme.

According to court documents, a former Cardinals employee, identified only as “Victim A,” left the Cardinals to join the Astros organization in late 2011. Victim A was instructed to hand over his work laptop – and its password – to Correa. Correa, apparently figuring that the employee would use the same password or something very close to it in his new position, attempted to use the information to access the Astros’ database. He eventually figured it out and proceeded to steal confidential information regarding the player draft, trade negotiations, and other sensitive data. Even worse, after the Astros updated their database, Correa was able to obtain the new login information by accessing Victim A’s email account, where he found a message containing default login information to the new database system.

While Correa’s behavior was reprehensible, the Houston Astros hack didn’t have to happen. The organization could have prevented the breach by taking a few basic proactive security measures:

  • Victim A’s practice of using a password that was very similar to the one he’d used at his previous job is a common error; despite security experts advising them otherwise, most people use the same password for multiple sites. Employees should not be allowed to choose their own passwords; instead, they should be assigned strong passwords and be required to change them on a regular basis.
  • Systems that contain highly sensitive data should require multi-factor authentication upon login, not just a user name and password.
  • Default login information should never be disseminated to employees through email. This information should be given to each employee in hard copy, and the system should automatically require the employee to change their default credentials the first time they log in.
  • All systems should be continuously monitored for anomalous activity, such as an employee logging in from an unusual location or at odd hours.

The Houston Astros hack should be a wakeup call to organizations in all industries. It was not masterminded by a skilled hacker but a regular individual who took advantage of basic security flaws. Instead of being proactive, the Astros were reactive with their information security, and Correa’s plea deal estimates that their carelessness with employee passwords cost them $1.7 million.

Many organizations do not have the resources to handle all of their information security needs in-house; many others don’t know where to start. This is why they should partner with a professional cyber security firm such as Lazarus Alliance. The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, spear phishing attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization.

Lazarus Alliance