Email may be essential, but it’s also overlooked even by security-minded enterprises. As I have mentioned before, the typical business employee sends and receives approximately 122 emails per day. Any of those emails could include an attachment that contains sensitive information about your organization – and it’s all too easy for that information to fall into the wrong hands if left unprotected.
Two Major League Baseball teams recently learned that lesson the hard way. In 2012, Chris Correa, scouting director for the St. Louis Cardinals, began hacking into the email and player evaluation databases of the Houston Astros. Motivated by jealousy of his rival scouting director, Sig Mejdal, he broke into the latter’s email and used it to access a massive amount of data.
According to court documents uploaded by the Houston Chronicle, Correa did the following:
- Broke into Mejdal’s e-mail account;
- Used information in the email account to gain access to the usernames and passwords of three Astros minor leaguers. He then copied this information into a file and emailed it to himself, allowing him to break into Ground Control, the Astros’ scouting database.
- Viewed private medical records and used those to inform his scouting decisions for the Cardinals.
- Masked his identity, location, and device with a tool called OnionBrowser.
- Downloaded and leaked nearly ten months of the Astros’ internal trade talks, possibly to embarrass the Astros after a glowing article in Sports Illustrated magazine.
Due to Correa’s misconduct, the Astros were awarded the Cardinals’ top two 2017 draft picks, as well as $2 million in reparations. It was, according to experts, an “unprecedented” punishment. Correa, meanwhile, is now permanently ineligible to work in MLB and has been sentenced to 46 months in prison for five cases of unauthorized access to a private computer.
As with last April’s NFL breach, this incident could have been prevented. All Correa needed to do to gain access to the Astros’ data was gain access to an email account. Based on reports, it appears that there were no additional measures in place to protect the team’s files.
Had the Astros been using BlackBerry Workspaces and Workspaces Email Protector – as several MLB and NFL teams are already doing – events could have played out very differently. Even if he managed to break into Mejdal’s email, he would have only had access to a very narrow collection of data – Workspaces would have barred the door against any further attempts to steal data. There are several reasons for this:
- Workspaces wraps files in state-of-the-art 256-bit encryption. Whether a file is shared via legitimate means or obtained illicitly, ONLY users that have permission to access the file can do so. Even if a user’s email account is hacked, the hacker can’t do anything with files protected by WorkSpaces.
- Workspaces makes use of powerful digital rights management technology (DRM) that allows IT to control everything that can be done with protected files, including whether it can be accessed, downloaded, edited, or shared. Permissions can be rescinded at any time, or set to a timed expiration. None of the documents or files in Ground Control were protected.
- Dynamic watermarks based on IP or email address can be applied to Workspaces files based on who is accessing them. This would have made it extremely difficult for Correa to leak the Astros’ trade talks without being tracked and caught.
- Email Protector automatically protects attachments, without requiring additional action by the employee. No files are present in the email account – just links to the Workspaces repository. All collaboration can be done there, safe from unauthorized eyes. Correa would have been unable to forward the list of usernames and passwords to himself – assuming they weren’t already in a protected file.
- Workspaces logging functionality maintains records of every activity connected to a file, including device type, access date, access location, and actions taken. Mejdal eschewed the Astros’ webmail system, and instead logged in from his iPhone or Laptop. Though Correa masked his device, identity, and location, his access records would have stood out as suspicious, and the Astros could have discovered the intrusion sooner – if not immediately.
As the Astros and Cardinals learned the hard way, email is basically insecure on its own. Using it as your sole means of protecting sensitive data is asking for trouble. To truly protect your files, you need a secure sharing platform – one with high usability, granular controls and automated file security.
BlackBerry Workspaces provides all three.
Want to see what the latest version of BlackBerry Workspaces can offer your business? Check out our release blog! You can also visit the official BlackBerry Workspaces page or take a look at the Workspaces Email Protector product page.