FBI and DOJ Ring Up St. Louis Cardinals for Cyberattack on Houston Astros

Subpoenas have been served on the Cardinals and MLB, both of whom are believed to be cooperating with federal officials. Investigators have reported that internal discussions about trades, confidential statistics, and scouting reports were compromised. This news dwarfs the National Football League’s “DeflateGate” scandal from last season.

The Astros hacking is the first known case of corporate espionage in the world of professional sports and targeted an information database established by Astros General Manager Jeff Lunhow, who left the Cardinals in December 2011 to take over the Astros. While Lunhow was with the Cardinals, the team created a computer network known as Redbird, which retained sensitive baseball operations and scouting information. After Lunhow joined the Astros, they created a similar program known as Ground Control. Law enforcement officials claim that Cardinals management became concerned that Lunhow used Cardinals proprietary information in his new position with the Astros, so they used passwords in his possession to penetrate the Astros’ system.

The news of this hack underscores that all industries need to exercise information security vigilance and take adequate measures to protect their trade secrets and sensitive information. Considering the global operation of many professional sports franchises, the sensitive data hacked could theoretically include confidential financial and highly sensitive health records regarding past, present, and future players, as well as financial data from fans who use credit cards to buy merchandise and pay for seats.

Federal prosecutors are likely looking to determine if the Cardinals and/or specific employees or outsiders are responsible for criminal liability under the Computer Fraud and Abuse Act, which criminalizes knowingly accessing a computer without authorization or exceeding authorized access and obtaining information from any protected computer and imposes hefty fines and the potential for imprisonment up to 20 years. (18 U.S.C. § 1030.) The CFAA also authorizes civil actions by the victims against the perpetrators to obtain compensatory damages and injunctive relief.

The state attorneys general and district attorneys in Missouri and/or Texas may also investigate and under the relevant state criminal statutes, the perpetrators could potentially face fines upwards of $10,000 and state prison time up to 20 years. The relevant state penal code statutes may also authorize civil actions for damages by the victims against the perpetrators, as well as payment of attorneys’ fees.

Because the information hacked may include “proprietary and/or trade secret information,” the perpetrators will likely face civil liability for a variety of claims, including the theft of trade secrets and the invasion of privacy for any player adversely affected by these acts. Although the exact nature of the data breached has not yet been revealed, the databases may also contain protected confidential health information relating to player injuries and even mental health and other highly sensitive personal history information which could theoretically have the potential to affect the value of the players depending on how it is used and disseminated.

Hacking and resulting data breaches can have far-reaching implications for client value. The range of potential liability looming for the Cardinals and the individual perpetrators highlights that employees must be held to high ethical standards contained in internal data and computer use policies while on the job. The potential resulting damage to the Astros and the individuals affected underscores the importance of maintaining adequate information security.