Angels, Dodgers are responsible for their own cyber security

The Angels and Dodgers can get help from Major League Baseball but cyber security is their own responsibility

When Jerry Dipoto retired as a player and started his climb up the front-office ladder 15 years ago, the Angels' general manager discovered that teams would store their most treasured data on hand-written index cards.


"I will literally go weeks without writing," Dipoto said Tuesday. "Even signatures on contracts are done electronically."

In baseball's information age, a team is as vulnerable as any other business to hackers breaking into a computer system. The Houston Astros learned that lesson the hard way last year, when Deadspin published leaked documents about trade talks, and Major League Baseball confirmed Tuesday the existence of a "federal investigation into the illegal breach of the Astros' baseball operations database."

The league has no evidence that another club has been the victim of a security breach, a high-ranking MLB official told The Times, speaking on condition of anonymity because of the ongoing investigation. The official — speaking generally and not about the Astros case — said each team is responsible for its own cyber security, but MLB employs experts and makes them available to consult with teams.

It is impossible to overstate the role of computer systems in the operation of a team — and not just on the business side, where executives can adjust ticket prices daily based on the latest sales data or modify orders for hot dogs or bobblehead dolls based on updated attendance projections.

The Dodgers just added a director of research and development, and they are hiring a "data scientist" as part of that analytics unit charged with imagining and developing "mathematical, statistical, and predictive models to support baseball operations."

Dipoto said every team has a proprietary data base, developed in-house or custom-designed for the team by a technology company. The Angels' computers include, among other features, statistical analysis, scouting reports, draft valuations, player videos, and what Dipoto said was a personal page for more than 6,000 players, from major and minor leaguers to amateur players in Venezuela and the Dominican Republic and pros in Mexico, Japan, and South Korea.

Minor league managers used to file nightly reports — who's hot, who's not, who's hurt, and so on — and Dipoto said he used to need an hour each morning to listen to all the voice mails.

"Now everything is accessible at the click of a button," he said.

The New York Times, which first reported the federal probe into the Astros' data breach Tuesday, said investigators traced the leaks to employees of the St. Louis Cardinals who were "hoping to wreak havoc on the work of Jeff Luhnow," the former Cardinals executive hired in 2011 as the Astros' general manager.

The newspaper reported that the Cardinals employees, concerned that Luhnow might have taken proprietary information, gained access to Astros computers based on passwords used in St. Louis by Luhnow and others who followed him to Houston.

In that event, the Astros might have been guilty of failing to take even the most basic of security precautions — changing your password every 90 days — said Ken Westin, senior analyst for Tripwire, an Oregon-based company that helps firms detect, prevent and respond to computer security threats.

"In their defense, they're probably not used to being attacked like this," Westin said.

A baseball team — or any other small business — need not spend more than $20,000 to protect its intellectual property from cyber attack, said Mo Rosen, chief operating officer at Xceedium, a Virginia-based company that helps businesses and the government protect data. Rosen said a two-step authentication process — a password, plus a card provided by the Astros, similar to an ATM card — might have been enough to keep the team's data safe.

"They didn't even take the most rudimentary steps to protect themselves," Rosen said.

Dipoto said he was not overly concerned by the possibility of a hack into the Angels' computers, since baseball teams tend to differentiate themselves not by the information they collect but how they apply it. Still, he said, the Angels' computer security precautions reflect the best practices of corporate America, first launched when the team was owned by the Walt Disney Co.

To access the most confidential baseball operations data, Dipoto said, he needs much more than a password.

"It's like walking into Ft. Knox," he said.

Twitter: @BillShaikin

Copyright © 2016, Los Angeles Times