You probably read about the MLB data breach from earlier this summer involving the Houston Astros reportedly being ‘hacked’ by the St. Louis Cardinals.
As details about the breach circulated, I found it interesting how often it was being referred to as a “hack.” For anyone not familiar with the details (at least as they were reported; the investigation is still ongoing), here’s a quick recap:
An Astros employee named Jeffrey Luhnow used to work for the Cardinals. While with the Cardinals, he used a computer system called Redbird, which the organization used to store proprietary information. When Luhnow went to the Astros, he helped Houston build a similar proprietary information storing system called Ground Control. When the Cardinals heard about Ground Control, they worried that Luhnow was now sharing information from his St. Louis days within the new Astros system. To investigate, the Cardinals looked at their master list of passwords for all employees, found the password Luhnow previously used for Redbird, tried using that same password to access Ground Control - and boom, got in.
This, friends, is not a sophisticated attack on a network. It’s poor personal management of passwords. Luhnow used the same password from one employer to the next, something many other people do, not realizing the potential implications. No technical skills were needed for this breach.
Michael Baumann at Grantland wrote a great article on the subject, which had one paragraph in particular that I loved.
“If you’ve watched any television or movies involving computers in the past 25 years, you know that “hacking” is what people who don’t know computers use as a catchall tool for any illicit or surreptitious access to a computer. It conjures up images of Seth Green on a laptop, chugging Red Bull while wearing a hoodie and an entire jar of Manic Panic Pretty Flamingo hair dye. This isn’t that — this is the equivalent of stealing a car that was left with the windows down and the keys in the ignition.”
What a great point. While movies like War Games, Sneakers, and of course, Hackers, made people who don’t work in security aware of what hacking is, many other movies and tv shows produced by people with less technical knowledge, over-simplified the term.
Dictionary.com defines hacker in a couple different ways:
“hacker - a person who has a high level of skill in computer technology or programming; a computer expert or enthusiast"
"hacker - a person who circumvents security and breaks into a network, computer, file, etc., usually with malicious intent”
Wikipedia defines hacker as:
All three give indication of how varying thoughts exist on what a hacker is. And while personally, I think Michael Baumann makes a great point on the Astros breach not being masterminded by a hacker, technically, by definition, the person who committed it could be considered a hacker.
The key is that the act must have circumvented security or exploited a weakness in the Astros’ security system. While the Cardinals employees behind the breach essentially guessed at a password and were correct, this shows that the Astros were not utilizing any advanced authentication process, such as two-factor or multi-factor authentication. They only had a basic password system in place. In that sense, the Cardinals exploited that weakness in the Astros’ system.
The incident shows how even one additional step in an authentication process can provide an extra layer of security that could deter many attacks. If the Astros had that in place, this data breach may have never even happened.