Simple Data Protection Steps Could Have Prevented the Astros Hack
The St. Louis Cardinals were reportedly caught stealing more than bases from the Houston Astros last week. An employee for the Red Birds allegedly breached the Astros' private database of player information, notes and trade discussions, leading the FBI to announce an investigation into the foul play.
There's plenty of lessons to learn from the Astros' breach, which was less cloak and dagger corporate espionage, and more simple failure to implement basic data protection steps. Here's what in-house counsel needs to know to help prevent their company from falling victim to nefarious MLB franchises -- or anyone else.
Change Your Passwords
The Astros hack, like so many recent breaches, was likely the fault of simply failing to take adequate protection measures. How simple was the failing? Simple enough that Deadspin, the sports blog, declared "everyone involved in the Cardinals hacking scandal seems to be an idiot." Supposedly, a manager from the Cardinals, who had been involved in their data collection, moved south to the Astros. Cardinal employees, it's alleged, simply looked up his old password and applied it to the Astros' account, getting easy access to all the Astros' information.
The lesson? Make employees change their passwords. New employees should be required to use novel passwords, not simply reuse the same ones from when they were working with competitors. Passwords should also follow basic best practices for cybersecurity, like two-factor authentication.
Over 90 percent of data breaches are preventable, according to an analysis by the Online Trust Alliance, an industry working group focused on improving data security and privacy practices. Implementing regular security audits and intrusion analysis can help you identify weaknesses in your data security and address them before there's a breach. Remember, it's not just private consumer information that needs to be protected -- any data that could give competitors an edge should be secured.
Be Prepared for a Breach
As is often the case, the Astros learned of the breach only after the inside information was posted on the Internet. The majority of cybersecurity breaches aren't even discovered by their victims, but by third parties, according to Lisa Sotto, cybersecurity head at Hunton & Williams. Most security breaches are likely to come to light when customers notice their information, such as credit card numbers, is being misused or when the breach is revealed by a law enforcement investigation.
Companies should have an incident response plan in place. This plan should address dealing with cybersecurity breaches in-house, with vendors and law enforcement. Being able to respond to a breach quickly can help companies minimize any resulting damages and notify affected partners early on.
- FBI Investigating Cardinals for Hacking of Astros (The Wall Street Journal)
- The Greatest Threat to Your Data Security May Be Yourself (FindLaw's In House)
- FCC's 1st Data Security Fine: $10M Sought for Breach (FindLaw's In House)
- The FTC: A Federal Agency Privacy Advocates Can Love? (FindLaw's In House)