Remember when you chose your first online login credentials? Perhaps it was for your brand new Hotmail account, or that lightning fast AOL dial-up internet. Like many people, it was probably the first time you ever had to choose a password and it was also probably some combination of your kids’ names, your spouse’s name or your mailing address. Like far too many people, your password in 2016 may not be much different from the one you made in 1996. Despite the best efforts of IT, most people are loath to complicate their lives with long and varying passwords. However, corporate espionage is a real threat in today’s computerized society and executives must realize that treating the privacy of your company account is a recipe for liability. While it may not be your job to keep the entire system safe, it is your job to keep your key to it safe.
One executive at the Houston Astros baseball team recently learned this first hand in what is possibly the least sophisticated cyber-security case ever. A St. Louis Cardinals executive was recently sentenced to up to 46 months behind bars and required to pay $279,038 in restitution for “hacking” into the Houston Astros’ computer system and stealing information on trades and prospects. While the defendant’s method may have been the most basic available, it is also one that few cyber-security systems can defend against – he guessed the password.
The defendant was able to “hack” into the rival team’s system by guessing the password of a former Cardinals executive who left the team to become general manager of the Astros. After leaving the Cardinals, the Astros executive was required to turn over his company owned computer and its password to the defendant. However, when he began his new job he made only a minor change to his password, allowing the defendant to easily guess the new credentials. The defendant then used this login information to access the Astros’ computer system for over a year, obtaining internal trade discussions, information on prospects and player bonus valuations. Prosecutors valued this stolen information at approximately $1.7 million.
Despite the many advances in cyber-security over the years, this case proves that human error is still an element in the protection of electronic information. Executives are entrusted with a great deal of proprietary information and allowing access to even an email account could reveal a devastating amount of commercially sensitive information. Protecting this information is one of the most important roles of an executive, and failing to do so could not only cost the company millions of dollars, but also subject the executive to significant liability for carelessly choosing a password. Let the Astros’ lesson be one you can learn from – obvious passwords simply won’t cut it when your company’s proprietary information is at stake.