Former St. Louis Cardinals scouting director Christopher Correa faced a judge this afternoon and pleaded guilty to five counts of unauthorized access to computer information. He will be sentenced in April. Pursuant to the Federal Computer Fraud and Abuse Act, the maximum potential penalty on each of the five counts is five years in prison, a fine of up to $250,000 and restitution. Given his lack of a criminal record it’s unlikely to be that stiff, but those are the potential penalties under the statute.
For baseball fans, the most interesting information in all of this comes from the criminal indictment filed by prosecutors today, which you can read in its entirety here. I have copied the stuff of particular interest below. “Victim A” is almost certainly Astros’ GM Jeff Luhnow:
After this, and after a news story about their Ground Control system, the Astros changed passwords, club-wide. Correa was not deterred, however, as he hacked into Luhnow’s email account to get Luhnow’s Ground Control login information. He then went back into the system and got:
During his hearing, the judge asked Correa what he was intending to do. Correa said, as has been reported in the past, that he was, in effect, trying to determine whether or not the Astros had appropriated the Cardinals’ confidential information when Luhnow left to join the Astros. Which led to this observation from the judge:
Which, yeah, is kind of not cool. Indeed, breaking the law to retrieve what one thinks is stolen is what has O.J. Simpson in a Nevada jail cell right now and has led the arrest and conviction of vigilantes everywhere. That said, the judge asked Correa if he found Cardinals information in the Astros’ system:
That may not raise to a criminal level — there is no allegation Astros people hacked into the Cardinals’ system — but it could be relevant to Major League Baseball in a larger team-to-team information security matter. All of that depends on what Correa is saying he saw, which we do not know yet.
That aside, the level and the amount of information Correa got from the Astros is extraordinary. The defense some have offered — that he was merely checking to see if the Astros stole something — seems like a tiny part of this compared to what he accessed. And the argument I have heard from some people that, “hey, Correa was just walking in an unlocked door, so it’s not a big deal,” is not really true. He walked in, the Astros locked it, so then he broke into Jeff Luhnow’s office, as it were, and stole the keys so he could walk back in again. That is not just idle perusing. That is a concerted effort to carry out corporate espionage.
All of which is to say that this is far from over, especially from a baseball perspective. Correa performed his duties as Cardinals scouting director for over two years while in possession of extensive amounts of Astros’ confidential information. That benefitted him personally and, by extension, benefitted the Cardinals via the acts he took on their behalf with that information in his head. And that’s the case even if he was the sole person involved. If anyone else accessed Ground Control or was made privy to the information Correa obtained, it makes the Cardinals’ collective informational advantage all the greater.
Major League Baseball needs to find out what, if anything the Astros have of the Cardinals, as Correa claims. They need to learn — as they may still learn given that the investigation and the case is not over — what law enforcement knows about anyone else’s involvement. There is still a long way to go. However, based on what is known at the moment, the data breach here was extensive and extraordinary and the Cardinals will likely be facing some stiff, stiff penalties as a result. Maybe financial penalties. Maybe draft pick penalties. Maybe some combination.
Either way, this case is way bigger than people thought it to be yesterday.