This morning, the New York Times reported that the FBI is investigating whether front-office employees of the St. Louis Cardinals hacked into the Houston Astros’ computer systems. Apparently, the Cardinals’ employees gained access to the Astros’ “internal discussions about trades, proprietary statistics and scouting reports.”
Virtually all businesses have trade secrets and proprietary information, and baseball teams are no exception. One of the Cardinals’ senior executives, Jeff Luhnow, left the team for the Astros in 2012. While he was at the Cardinals,
The organization built a computer network, called Redbird, to house all of their baseball operations information — including scouting reports and player personnel information. After leaving to join the Astros, and bringing some front-office personnel with him from the Cardinals, Houston created a similar program known as Ground Control.
Once he left, others at the Cardinals allegedly hacked into the Astros’ computer system, using a low-tech method. Not surprisingly, these baseball executives don’t seem to be particularly tech savvy. They simply used the same passwords that Luhnow used when he was still with the Cardinals:
Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.
This is the first time I can recall this type of corporate espionage taking place between competing sports teams. It will certainly attract a lot of attention, and I’m eager to learn more details about what transpired.
But this case also has a very simple lesson for all companies. When you hire someone from a competitor, their former employer knows what password they were using at their prior job. Obviously, you don’t want them using that same password at your company. Consider assigning a new password. Or instruct the employee to use a different password than they used at their prior job. Either way, you need to make sure that passwords are changed regularly.