More details on motivation and whoAccording to the article:
The F.B.I. and Justice Department prosecutors are investigating whether front-office officials for the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, hacked into internal networks of a rival team to steal closely guarded information about player personnel.Corporate espionage by the Cardinals appears to be the answer to motivation and whodunit questions. The article goes deeper though,
Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager who had been a successful and polarizing executive with the Cardinals until 2011.Luhnow was not a popular person among some groups within the Cardinals organization, which isn't surprising. We've known about that for a while now. What is a bit surprising is that someone disliked Luhnow so much, that they would risk their reputation, the Cardinals organization reputation, and possibly some jail time just to get back at them.
How did they get in
This was the burning question last year and it appears we've now got an answer. If you'll remember the Houston Chronicle ran a piece on Ground Control, which is apparently similar to the Cardinals computer network, aptly named, Redbird. The picture on the article displayed an external link for Ground Control.
Story that made Ground Control public: Astros' formula for success builds on its own data bank http://t.co/wTcFSvlRXK via @HoustonChron— Evan Drellich (@EvanDrellich) June 16, 2015
It appears that the breach may have occurred before the article, however:
But in 2013, before their revival at the major league level, their internal deliberations about statistics and players were compromised, law enforcement officials said.Finding an external link without the help of a news organization is still possible. Link aside here's what the New York Time's article also had to say about getting in:
Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.
A "master list of passwords" is likely a spreadsheet that was used to store all passwords, that the Cardinals had in their possession. This seems to indicate that Luhnow and everyone who followed him to Houston involved in Ground Control used those same passwords. That's just bad operational security, if true.
Once the attacker got in, if Ground Control was built with a similar infrastructure and the attacker was in fact from the Cardinals organization, then they had a good understanding of layout of the system and knew where important information is stored. Where the Cardinals employee goofed up was not hiding his home IP address through a proxy or logging in from the house of a Cubs employee.
How could this have been avoided
With the information we have available, two-factor authentication.
With two-factor authentication turned on the attacker likely doesn't get in, even if they had the passwords.
Punishment and compensationSeveral have asked what the punishment for the Cardinals and/or compensation to the Astros will be and to be honest I don't know. The law is where my expertise ends. I don't know if government will pursue legal action against the people involved or if MLB will be allowed to handle this on their own. With the recent high profile breaches, the government has taken a strong stance on making attackers accountable for their actions. This breach falls in corporate espionage, so I'm not sure if they will take as hard of a line on this or even really care. MLB on the other hand will probably want to take a strong stance on this. This was embarrassing for the Astros last year and it's even more embarrassing now that another MLB team is involved.
It will certainly be interesting to see the outcome of this episode.