Baseball officially entered a new era Monday when it gave a lifetime ban to a computer hacker. To the rogues gallery of the permanently ineligible that includes the eight Black Sox who threw the 1919 World Series; Benny Kauff, who was thrown out in 1920 for selling stolen cars; and Pete Rose, who was banned for betting on baseball, Commissioner Rob Manfred consigned Chris Correa, the former Cardinals scouting director who hacked into the Astros's database.
Correa’s ban is largely symbolic. He is serving a 46-month sentence in federal prison after pleading guilty in January 2016 to five counts of unauthorized access to a protected computer. No team would give him a job when he gets out anyway. The news here is that the Cardinals should consider themselves lucky that Manfred didn’t drop the hammer on the club even harder than he did. St. Louis must pay a $2 million fine to the Astros and fork over their first two draft picks this year to Houston. The $2 million fine is the maximum allowed under the MLB constitution, and the draft picks are not in the first round; they're Nos. 56 and 75. The Cardinals already had lost their first-round pick for signing free agent Dexter Fowler. The picks lost are assigned a combined value of about $1.8 million.
While Manfred did find the club “liable for [Correa's] misconduct,” he did, to borrow a phrase, draw a firewall between Correa and all other St. Louis employees. He cast Correa as a rogue operator and the club as unknowing and unsuspecting of his behavior.
It is because Correa’s behavior was so widespread—hacking into Houston’s database 48 times through five employee e-mails over a 2 1/2-year period—that Manfred could have hit the Cardinals even harder. The NCAA likes to use the phrase “institutional control” to assign a larger responsibility for rogue behavior. “Institutional control” is important here because of how far-ranging the hacking was.
What if St. Louis had not signed Fowler? Would the team's penalty have included the loss of picks Nos. 19 and 56? It seems more appropriate to have the loss of a first-round pick attached to the penalty; where Fowler signed should have no bearing on the resolution of this case.
Manfred knew this was an important decision because he was establishing precedent here. Every baseball team now runs on proprietary analytics. The protection of that intellectual property is paramount. Where once Kennesaw Mountain Landis had to worry about players consorting with gamblers, throwing games or selling stolen cars, Manfred has to worry about cybersecurity.
But if the methodologies of rogue behavior are new, the reasons are as old as time: greed, envy and ego.
Correa was part of the new breed of bright minds in the game: people with advanced degrees who somehow want a stake in baseball, not in their field of study. He studied cognitive sciences at Hampshire College, obtained a masters in psychology at Illinois and was working on his doctorate at Michigan when he made the Cardinals an offer: He would volunteer to work for them, essentially as an analyst.
Correa eventually was hired full-time and worked under scouting director Jeff Luhnow, who left in December 2011 to be Houston's general manager. One month later, in January 2012, Sig Mejdal also left the Cardinals to join the Astros. Mejdal had worked at Lockheed Martin and NASA before joining St. Louis.
Shortly after Mejdal’s hiring in Houston, Correa hacked into the Astros’ system. How did he pull it off? Court documents show he gained access to Mejdal’s laptop after he turned it in. Correa discovered that the password on that laptop was the same one Mejdal was using with the Astros.
“It was based on the name of a player who was scrawny and who would not have been thought to succeed in the major leagues, but through effort and determination he succeeded anyway,” said Michael Chu, the assistant U.S. attorney who prosecuted the case against Correa. Chu said the Astros employee “just liked that name, so he just kept on using that name over the years.”
Why would Correa hack into the Astros’ system? He told U.S. District judge Lynn Hughes that he did so out of concern that the ex-Cardinals employees had taken with them proprietary information from the Cardinals.
“So you broke into their house to see if they were stealing your stuff?” the judge asked.
“Stupid, I know,” Correa said.
But Correa’s behavior went far beyond stupid. He gained unfettered access to Mejdal’s e-mail account and attempted to breach the accounts of other Houston employees. The government sentencing report, which was unsealed last week, detailed how Correa took information from the Astros to inform the Cardinals’ draft and trade decisions. In 2013, for instance, Correa accessed the Astros’ ranked draft list two months before the draft as well as scouting information from three Houston baseball operations people. He intruded into the system again the day before the draft and again before the third day of the draft, including a peek at private medical records of potential draft picks. He also viewed the Astros’ trade discussion notes “at least 14 times” leading up to the trade deadline.
“Ultimately, Correa was not intruding to see if the Astros took any information—rather, he was keenly focused on information that coincided with the work he was doing for the Cardinals,” Chu said.
There was one more motivation for Correa, according to Chu: jealously. SPORTS ILLUSTRATED's June, 30 2014 issue featured a cover story on the Astros that included the frontpage billing “Your 2017 World Series Champs.”
“Mejdal was one of Correa’s rivals,” Chu wrote, adding that the two of them engaged in “heated discussions” when both worked for St. Louis. “And now this rival was being praised.”
The Cardinals and Correa benefited from the hacks. The Cardinals gained access to privileged information. Correa earned a promotion. Finding a price to pay for those ill-gotten benefits was not easy for Manfred. The $2 million fine is among the highest ever levied against a club. But the Cardinals lost no players and no first-round picks. The hurt could have been worse.