Yesterday, former St. Louis Cardinals Scouting Director Chris Correa pled guilty to crimes associated with the unlawful hacking of Houston Astros information systems in 2013 and 2014.
To date, it’s been very unclear exactly what Correa did or didn’t do, why he did it, who knew about it, when exactly it happened, and what exactly was accessed. Thanks to yesterday’s hearing in the case, we now have a whole lot more information to address those questions.
And it’s really bad.
You can read the indictment against Correa here, which includes some far more damning allegations than we’d heard previously. According to federal investigators, Correa accessed the Astros’ internal database multiple times over the course of more than a year. That included accessing and filtering Astros player evaluations during the 2013 draft and on Trade Deadline day in 2013.
Worse for Correa, when the security of the Astros’ system was questioned in a news article in early 2014, and the team thereafter emailed employees with instructions about the new location of the database and how to access it, Correa hacked into an Astros employee’s email and used it to re-access the internal Astros database.
These are serious offenses, criminally speaking, and Correa is likely to face significant fines and/or time in prison.
Correa told the court, by the way, that he did find proprietary Cardinals information when searching, which could be a problem for the Astros down the line (they have denied it), but is not really relevant to the proceedings against Correa (it’s still very much illegal to hack into someone else’s systems to see if they stole from you; and, as I said above, I don’t really buy that that’s what was going on anyway). Neither is it necessarily relevant to what, if any, punishment is levied against the Cardinals.
At this point, it does seem like the Cardinals are going to face discipline.
The tricky thing for MLB is that *even if* Correa acted completely alone, and *even if* absolutely no one else in the organization knew what he was doing, it’s pretty hard to believe the Cardinals didn’t benefit at some extended level by the information that Correa gleaned. Other Cardinals executives can claim forever that they never benefited from the information, but Correa was a key decision-maker in in the organization, and his knowledge was tainted by ill gains. He was scouting guy in an elevated position accessing another team’s scouting information during a draft, for crying out loud.Whether the Cardinals did or didn’t gain from the information may not be something MLB will ever be able to prove … which is the very problem when a very high-level executive illegally hacks into another team’s system and steals information. Whether Correa was doing it for himself or for the organization, his knowledge was impacted by what he learned, and he was in a position of authority with the Cardinals. Organizations are but a collection of individual people. If we throw out everything that “individuals” do, what is an organization anyway?
That’s why MLB cannot have this kind of thing happen, and cannot be seen as allowing it, even in the case of a “lone gunman.”
Based on the information revealed in filings against Correa and his admissions, I find it extremely difficult to believe that he was a “lone gunman” anyway. But even if he was, allowing the organization to slide sends the message that teams hacking other teams is OK so long as there is plausible deniability. That can’t stand.
The league has to incentivize teams to do whatever they can to prevent these situations – even lone gunmen – from happening, because they are the only available firewall.
Any punishment could involve fines, or perhaps the loss of draft pick(s). Given that part of Correa’s incursion so directly related to the draft, there seems to be a fair and appropriate relationship there.