WASHINGTON, D.C. – The former director of Baseball Development for the St. Louis Cardinals made an initial appearance in Houston federal court today on charges of accessing the Houston Astros’ computers without authorization, announced U.S. Attorney Kenneth Magidson of the Southern District of Texas and Special Agent in Charge Perrye K. Turner of the FBI Houston Division. Later this afternoon, the former Cardinals official then entered a guilty plea to all counts as charged.
Christopher Correa, 35, of St. Louis, was charged in a criminal information with five counts of unauthorized access of a protected computer. No other personnel associated with the Cardinals organization have been charged.
“We have secured an appropriate conviction in this case as a result of a very detailed, thorough and complete investigation,” said U.S. Attorney Magidson. “Unauthorized computer intrusion is not to be taken lightly. Whether it’s preserving the sanctity of America’s pastime or protecting trade secrets, those that unlawfully gain proprietary information by accessing computers without authorization must be held accountable for their illegal actions.”
From 2009 to July 2015, Correa was employed by the St. Louis Cardinals and became the director of Baseball Development in 2013. In this role, he provided analytical support to all areas of the Cardinals’ baseball operations. Correa is no longer employed by the Cardinals organization.
The Astros and the Cardinals, like many teams, measured and analyzed in-game activities to look for advantages that may not have been apparent to their competitors. To assist their efforts, the Astros operated a private online database called Ground Control to house a wide variety of confidential data, including scouting reports, statistics and contract information. The Astros also provided e-mail accounts to their employees. Ground Control and Astros e‑mails could be accessed online via password-protected accounts.
As part of his plea agreement, Correa admitted that from March 2013 through at least March 2014, he illicitly accessed the Ground Control and/or e-mail accounts of others in order to gain access to Astros proprietary information.
“The theft of intellectual property by computer intrusion is a serious federal crime,” said Special Agent in Charge Turner. “The Houston Cyber Task Force stands ready to identify, pursue and defeat cyber criminals who gain unauthorized access to proprietary data. In each and every case, we will seek to hold those accountable to the fullest extent of the law.”
In one instance, Correa was able to obtain an Astros employee’s password because that employee has previously been employed by the Cardinals. When he left the Cardinals organization, the employee had to turn over his Cardinals-owned laptop to Correa along with the laptop’s password. Having that information, Correa was able to access the now-Astros employee’s Ground Control and e-mail accounts using a variation of the password he used while with the Cardinals.
The plea agreement details a selection of instances in which Correa unlawfully accessed the Astros’ computers. For example, during 2013, he was able to access scout rankings of every player eligible for the draft. He also viewed, among other things, an Astros weekly digest page which described the performance and injuries of prospects who the Astros were considering, and a regional scout’s estimates of prospects’ peak rise and the bonus he proposed be offered. He also viewed the team’s scouting crosscheck page, which listed prospects who were seen by higher level scouts. During the June 2013 amateur draft, Correa intruded into that account again and viewed information on players who had not yet been drafted as well as several players drafted by the Astros and other teams.
Correa later intruded into that account during the July 31, 2013, trade deadline and viewed notes of the Astros’ trade discussions with other teams.
Another set of intrusions occurred in March 2014. The Astros reacted by implementing security precautions to include the actual Ground Control website address (URL) and required all users to change their passwords to more complex passwords. The team also reset all Ground Control passwords to a more complex default password and quickly e‑mailed the new default password and the new URL to all Ground Control users.
Shortly thereafter, Correa illegally accessed the aforementioned person’s e‑mail account and found the e‑mails that contained Ground Control’s new URL and the newly-reset password for all users. A few minutes later, Correa used this information to access another person’s Ground Control account without authorization. There, he viewed a total of 118 webpages including lists ranking the players whom Astros scouts desired in the upcoming draft, summaries of scouting evaluations and summaries of college players identified by the Astros’ analytics department as top performers.
On two more occasions, he again illicitly accessed that account and viewed confidential information, such as projects the analytics department was researching, notes of the Astros’ trade discussions with other Major League Baseball teams and reports of players in the Astros’ system and their development.
The parties agreed that Correa masked his identity, his location and the type of device that he used, and that the total intended loss for all of the intrusions is approximately $1.7 million.
Each conviction of unauthorized access of a protected computer carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine.