The sorry story of Chris Correa, the St. Louis Cardinal executive convicted of hacking into the Houston Astros computer system expanded last month when Federal Judge Lynn Hughes unsealed details about the extent of the illegal conduct. As reported by David Barron and Jake Kaplan, in Houston Chronicle article entitled “As MLB ruling nears, new details of Cardinals’ hacking of Astros account”, wrote the information included “the hacking of the Astros’ email and player evaluation databases”. The unsealed documents were in Correa’s sentencing report.
There were three general areas of interest by Correa. First “Correa intruded into the Astros’ “Ground Control” database 48 times and accessed the accounts of five Astros employees. For 2 1/2 years, beginning in January 2012, Correa had unfettered access to the e-mail account of Sig Mejdal, the Astros’ director of decision sciences and a former Cardinals employee. Correa worked in St. Louis as an analyst under Mejdal, who came to Houston after the 2011 season with Astros general manager Jeff Luhnow, also a former Cardinals executive. “(Correa) knew what projects the Astros’ analytics department was researching, what concepts were promising and what ideas to avoid,” said one of the documents, signed by Michael Chu, the assistant U.S. attorney who prosecuted the case against Correa. “He had access to everything that Sig Mejdal … read and wrote.””
This information provided details on the “degree to which Correa used information from the Astros to influence the Cardinals’ draft and trade decisions. Prosecutors also noted that several months after his intrusions from March 2013 through June 2014, Correa in December 2014 received a promotion from the Cardinals.” Correa “studied the Astros’ trade notes “at least 14 times” as the July 31 non-waiver trade deadline approached and again before the annual general managers’ meetings and winter meetings the following offseason. “Ultimately, Correa was not intruding to see if the Astros took any information — rather, he was keenly focused on information that coincided with the work he was doing for the Cardinals,” Chu concluded.”
These details included checking into the Astros’ drafting strategy and player evaluations. Correa even went so far as to double check his recommendations for the draft with the Astros information before going to St. Louis brass. The article noted, “Before he proposed an idea, he could quietly check what another analytics-minded organization thought. He also could supplement his own ideas with the ideas of the Astros’ analytics department because he knew what projects the Astros’ analytics department was researching, what concepts they found promising, what ideas they had discarded.”
The second general area of intrusion was around the Astros’ internal email system, including the then Manager Bo Porter and his pitching coach. Finally, and in a delicious tactic Correa would try to use for leniency later, he sought to find information that Correa claimed the Astros illegally obtained from the Cardinals as part of the Astros’ front office staff worked for the Cardinals, including the current Astros’ General Manager.
For all his efforts, Correa was severely punished by Judge Hughes at this sentencing. Hughes accepted the US government’s recommendation in sentencing Correa to 46 months of incarceration and fining him some $300,000. Correa was also banned from Major League Baseball (MLB) for life by Commissioner Rob Manfred. Writing in the New York Times (NYT), in an article entitled “Cardinals to Suffer, but Former Executive Bears Brunt in Hacking Case”, Tyler Kepner wrote that Correa joins “the dubious company of Pete Rose, the hit king who gambled away his baseball future, and Jenrry Mejia, the former Mets reliever and three-time drug cheat” as the only former baseball professionals banned from the game for life.
Commissioner Manfred leveled a serious penalty on the St. Louis Cardinals as well. Kepner noted, “Manfred also ordered the Cardinals to pay $2 million to the Astros — the maximum fine he was allowed to impose, according to the league — and to give Houston their top two picks in this June’s draft.” Yet Kepner raised the question of whether the Commissioner’s sanction was appropriately severe enough as the Cardinals do not have a first-round pick in next year’s draft so that the Astros’ are actually getting the 56th and 75th pick overall in the draft. While a team does not usually find any future Hall of Famers at such late picks there is another reason why these slots can be valuable to the Astros as “The picks the Astros got on Monday carry literal value, too: the roughly $1.85 million in allotted bonus money that goes with them. That means that Luhnow, who is known for his draft creativity, will have that much more to spend on the draft this June, and the Cardinals will have that much less.”
While there were cries from some baseball executives that the punish was not stringent enough for the fine, noting the Cardinals are worth some $2bn; the Astros publicly supported the Commissioner’s final decision. Ben Reiter, writing in a Sports Illustrated article entitled “As hacking scandal finally ends, Astros satisfied with Cardinals’ penalty”, cited to Giles Kibbe, the Astros’ General Counsel (GC) for the following, “I think the award is a significant award. I don’t think they got off easy by any stretch. This is an unprecedented award by Major League Baseball that sends a clear message about the severity of Mr. Correa’s actions.” Perhaps not surprisingly, Kibbe and the Astros believed the Cardinals organization bore responsibility for Correa’s action, even though Correa apparently acted alone. Reiter said, “Kibbe also expressed his franchise’s view that while the league had appropriately concluded that while Correa had acted alone, the Cardinals still bore some responsibility as his employer and a beneficiary of his crimes. “I think the commissioner made clear in his ruling that it was only Correa—and no one else in the Cardinals’ organization—but that the Cardinals were responsible for his actions,” Kibbe said.”
What are the lessons from this entire affair? Matt Kelly, writing an article in his Radical Compliance blog, entitled “Two Compliance Lessons From Baseball Today”, found two which were the aforementioned corporate responsibility of the Cardinals (i.e. vicarious liability) and access controls, directed at the Astros for allowing the hack in the first place. I would follow Kelly’s first point because of the clear business advantages the Cardinals received from this information and the possibility they could use this advantage for years if they drafted players based upon the Astros’ confidential information. As to his second point, a robust IT security protocol is a must for any business; baseball, international energy concern or solo lawyer.
This is where the Greek gods enter the picture. Apparently the Astros were none the wiser as to Correa’s illegal act until Correa surreptitiously boasted about his hack by leaking it to the online publication Deadspin.com, so they would publish it and humiliate the Astros GM. Reiter reported, “Correa had in the summer of 2014 provided the information to Deadspin.com internal trade discussions that he had hacked from the Astros’ database, embarrassing Houston general manager Jeff Luhnow (a former colleague of Correa’s with the Cardinals) and other executives and forcing them to apologize to the players and teams involved. The irony, as Kibbe admitted, is that if not for the leak, Correa’s intrusion might never have been discovered; only after the information had become public were the Astros spurred go back and determine when their database had been illicitly accessed and what information had been viewed.”
The thing which most offended the Greek gods was hubris and Correa’s story proves once again that as the ancient Greeks learned long ago hubris always get you in the end.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2017