(HOUSTON, TX) – The former director of baseball development for the St Louis Cardinals has been ordered to federal prison following his conviction of accessing the Houston Astros’ computers without authorization.
Christopher Correa, 36, of St Louis, MO, pleaded guilty on January 8 to five counts of unauthorized access of a protected computer.
Today, US District Judge Lynn N Hughes for the Southern District of Texas, who accepted the guilty plea, handed Correa a 46-month-term of imprisonment. In handing down the sentence, Judge Hughes noted the seriousness of the crime and how other baseball teams now must have tighter and more intrusive security.
“You have made it harder for them to live their lives,” Hughes noted. Correa apologized and attempted to call his behavior reckless, but the judge corrected him.
“No, you intentionally and knowingly did these acts,” she said.
Correa will also be required to serve a term of two years of supervised release following completion of the prison term and must pay $279,038.65 in restitution to the Astros.
“We are grateful that the court agreed to our sentencing recommendation as it was based upon our evaluation of the seriousness of the crime and the actions of the defendant,” said US Attorney Kenneth Magidson. “I am proud of the investigators and the federal prosecutor assigned the case who worked diligently to ferret out all the facts. Today, justice was done.”
— Data Security & Tech (@MPBarry_law) July 19, 2016
From 2009 to July 2015, Correa was employed by the St Louis Cardinals and became the director of baseball development in 2013. In this role, he provided analytical support to all areas of the Cardinals’ baseball operations. Correa is no longer employed by the Cardinals organization.
The Astros and the Cardinals, like many teams, measured and analyzed in-game activities to look for advantages that may not have been apparent to their competitors. To assist their efforts, the Astros operated a private online database called Ground Control to house a wide variety of confidential data, including scouting reports, statistics, and contract information.
The Astros also provided e-mail accounts to their employees. Ground Control and Astros e mails could be accessed online via password-protected accounts.
As part of his plea agreement, Correa admitted that from March 2013 through at least March 2014, he illicitly accessed the Ground Control and/or e-mail accounts of others in order to gain access to Astros proprietary information.
In one instance, Correa was able to obtain an Astros employee’s password because that employee has previously been employed by the Cardinals. When he left the Cardinals organization, the employee had to turn over his Cardinals-owned laptop to Correa, along with the laptop’s password. Having that information, Correa was able to access the now-Astros employee’s Ground Control and e-mail accounts using a variation of the password he used while with the Cardinals.
The plea agreement details a selection of instances in which Correa unlawfully accessed the Astros’ computers.
For example, during 2013, he was able to access scout rankings of every player eligible for the draft. He also viewed, among other things, an Astros weekly digest page which described the performance and injuries of prospects who the Astros were considering and a regional scout’s estimates of prospects’ peak rise and the bonus he proposed be offered.
He also viewed the team’s scouting crosscheck page, which listed prospects seen by higher level scouts. During the June 2013 amateur draft, he intruded into that account again and viewed information on players who had not yet been drafted as well as several players drafted by the Astros and other teams.
Correa later intruded into that account during the July 31, 2013, trade deadline and viewed notes of Astros’ trade discussions with other teams.
Another set of intrusions occurred in March 2014.
The Astros reacted by implementing security precautions to include the actual Ground Control website address (URL) and required all users to change their passwords to more complex passwords. The team also reset all Ground Control passwords to a more complex default password and quickly e-mailed the new default password and the new URL to all Ground Control users.
Shortly thereafter, Correa illegally accessed the aforementioned person’s e mail account and found the e mails that contained Ground Control’s new URL and the newly-reset password for all users. A few minutes later, Correa used this information to access another person’s Ground Control account without authorization.
There, he viewed a total of 118 webpages including lists ranking the players whom Astros scouts desired in the upcoming draft, summaries of scouting evaluations, and summaries of college players identified by the Astros’ analytics department as top performers.
On two more occasions, he again illicitly accessed that account and viewed confidential information, such as projects the analytics department was researching, notes of Astros’ trade discussions with other Major League Baseball teams, and reports of players in the Astros’ system and their development.
The parties agreed that Correa masked his identity, his location, and the type of device that he used, and that the total intended loss for all of the intrusions is approximately $1.7 million.
No other personnel associated with the Cardinals organization have been charged.