The alleged hack perpetrated by the St. Louis Cardinals against the Houston Astros took a traditional sports rivalry into foul territory. The FBI is investigating evidence that suggests Cardinals employees infiltrated a network the Astros built to store data containing discussions about trades, proprietary stats and scouting reports.
Some reports suggest the Cardinals conducted the attack as revenge against Jeff Luhnow, a former Cardinals executive, now with the Astros. Others suggest the hack was an attempt to gain a competitive advantage. Regardless the motive, the news rocked the sports world and brought home an often-overlooked fact: most organizations still do not take cybersecurity seriously enough.
Cyber espionage is a very real issue in highly competitive industries, such as manufacturing and technology, but it’s something of a surprise in Major League Baseball. While Luhnow has downplayed the significance of the hack, suggesting much of the information named by the FBI would be entirely obsolete at this point, the damage could have been much worse.
Almost Too Easy
Unfortunately, many organizations outside of the traditional hacking targets don’t seem to approach cybersecurity with the same level of rigor as healthcare, financial institutions, or big retailers. Their complacency leads to the kind of security lapses officials believe made this hack possible, such as poor password hygiene and a complacent cybersecurity culture.
According to media reports, the alleged perpetrators were able to guess network passwords based on those previously used by Luhnow or Sig Mejdal, another former Cardinals employee now working for the Astros. Sports organizations regularly see players, staff and executives leave for rival franchises. It’s therefore critical to integrate preventative security controls that make it harder to breach network defenses and make proactive, holistic security part of the process.
All Data is Valuable to Someone
With all the attention on foreign sponsored data breaches, such as the recent OPM breach attributed to China, many organizations believe themselves to be safe from cyberattacks. However, domestic corporate espionage events can be just as prevalent. Consider the 2009 spat between Starwood Hotels and Hilton where Starwood claimed two of its former executives stole sensitive trade secrets and brought them to Hilton. Or the famous corporate espionage scandal between General Motors and Vokswagen A.G.
In this case, even if the Cardinals didn’t get access to information that truly gave them a competitive advantage, it’s clear enterprise security is still not taken seriously enough by most organizations – whether corporate or government. As this hack (and others before it) demonstrates, every industry and organization has data worth protecting, and the onus is on them to ensure they have all their bases covered.