Q&A on Cardinals-Astros 'Hacking' Investigation

This first of its kind investigation for the MLB is examined by Electrical and Computer Engineering Professor Lance Fiondella

Representatives for the Major League Baseball team St. Louis Cardinals are under investigation by the F.B.I. and Justice Department prosecutors regarding accusations of hacking into an internal network of the Houston Astros to steal information about players. This first of its kind investigation for the MLB is examined by Electrical and Computer Engineering Professor Lance Fiondella. 

From the very few details we know about the investigation, how sophisticated of a "hack" would you consider this case to be? 

LF: The hack does not sound very sophisticated. The attackers went through the records of a former employee to obtain passwords. How the attackers were able to interface the computers they broke into is not explicitly stated, but may have required minimal to moderate effort for relatively skilled computer security professionals. 

This is the first of its kind investigation for MLB, but how often do cyber-attacks fall under the category of an individual/company/organization trying to access sensitive information from a competitor? 

LF: Cyber-attacks often target a competitor. Foreign military and security organizations do this all the time and are highly trained. It would not be surprising if organizations such as hedge funds with automated trading teams tried to steal code from their competitors and studied it to identify ways to use this knowledge of their competitors' strategies to their own advantage. Other entities that would commonly be classified as terrorist organizations or groups of hackers also perform such acts. The motivation of each organization is unique and needs to be taken into consideration to understand who they would target. 

Do you think this sounds an alarm for other professional sports teams? If so, what can they do to better protect themselves? 

LF: Professional sports is a multi-billion dollar industry. Like any business, they need to invest in computer security proportional to their risk exposure, which is based on the extent to which their operations depend on computing. There are methodologies to enumerate the possible consequences of cyber-attacks and quantify their relative criticality. However, the probability of such events is highly uncertain, which makes it difficult for these organizations to understand how much to invest in the protection of their assets, especially proprietary data. 

About Lance Fiondella 

Lance Fiondella joined the Department of Electrical and Computer Engineering in 2013. Prior to joining UMassD, he was a postdoctoral fellow in the School of Mathematical and Geospatial Sciences at the Royal Melbourne Institute of Technology (RMIT) in Australia. He conducts research in the areas of software and system reliability and risk. He has published more than 65 peer reviewed journal and conference papers on these topics. His research is supported by the United States Department of Homeland Security. 

News and Public Information, College of Engineering