Buy Me Some Peanuts and Database Hacks
It’s late July and the ‘boys of summer’ are in full swing, if you’ll pardon the pun. I’m a huge baseball fan and love most everything about the sport, including the mystique surrounding many of its unwritten rules. These rules, as their name suggests, cannot be found in any official rule book issued by Major League Baseball or other governing bodies. Nonetheless, they are firmly planted in players’ and coaches’ minds, and have their own system of self-policing administered mostly on the field. Typically penalties come in the form of a high-inside fastball for those that break them. Among the most established of these unwritten rules is the stealing of signs, a practice with many infamous examples throughout the game’s history. My personal favorite sign-stealing story surrounds the Chicago White Sox, who reportedly used a single light bulb in the centerfield scoreboard, turning it on-or-off to signal pitches to the home team batter.
Currently, the game and Major League Baseball is dealing with an entirely different type of stealing, with the recent case and sentencing of Chris Correa, a former executive with the St. Louis Cardinals. Last week, Correa received some ‘chin music’ of his own, being sentenced to nearly four years in prison by a U.S. District Court in Texas for masterminding a hack of the Houston Astros personnel database in search of insights into their player scouting. What’s particularly interesting here is that Correa wasn’t after any pitching or base-running signs, future lineups or other form of in-game strategic insight. Rather, he was after a pool of data that most every Major League Baseball team (and indeed professional teams in other sports) has come to view as highly valuable intellectual property, player analytics.
You might also like: A View from the Corner Offices: New Research on C-Suite Security Mindset
The Digitization of Baseball
In much the same way businesses in all industries have undergone a digital transformation over the past twenty years, baseball too has undergone its own transformation. This isn’t about Major League Baseball teams selling tickets or memorabilia through a website. The digitization of baseball has to do with the current fascination around in-depth player statistical performance as an indicator of future success. Baseball has always been big on statistics, of course. Few if any games lend themselves to an analysis of numbers the way baseball does. However, in recent years this has taken on a whole new level through the work of what’s often referred to as Sabermetrics, popularized by the book Moneyball by Michael Lewis. In the same way the hyper-statistically driven online advertising industry transformed marketing, Sabermetrics and its followers have turned the long-standing ideas of player scouting on their head. The creation of new statistics found to hold strong correlation to individual and team success have a wave of young math nerds turning their attention to our national pastime. Heck, there’s even an annual conference hosted by MIT Sloan School of Business on the topic of advanced sports analytics.
No one is immune
Perhaps the biggest takeaway beyond the implications of baseball is how this hack reinforces the fact that ‘no one is immune’ from today’s cyber-security threats. As with any business, as more value gets put around proprietary data, more and more attackers will seek to steal that data and/or disrupt operations by tying that data up. The competitively motivated attack is another interesting and important dynamic for organizations to consider. We’ve seen situations with customers where attacks against applications seemed primarily focused on interrupting ecommerce and other transactions, potentially to the benefit of other competing companies more immediately able to satisfy demand. In one particularly unique case, a major U.S.-based airline became the target of cyber-attacks that used bots programmed to “scrape” their site, looking for certain flights, routes and classes of tickets. With the bots acting as faux buyers—continuously creating but never completing reservations on those tickets—the airline was unable to sell the seats to real customers. In essence, the airline’s inventory was held hostage, and a growing number of flights were taking off with empty seats that could have been sold. Additionally, the bots could have been gathering valuable competitive pricing information, including information on the complex formulas that adjust pricing based on current demand.
What should by now be obvious to all is that any business has a wealth of valuable data within its systems. Baseball, just as any ecommerce or financial services organization, has a responsibility to protect that data in order to maintain its value. So the next time you watch a baseball game, consider all the data behind the moves you see on the field. And appreciate the importance to its owners of keeping that data as secure as consumer credit cards or personal health records.