Don't confuse stupidity and ignorance. Being ignorant of technical details doesn't make them stupid. Well okay, being criminal is stupid....
I work with this stuff, and using a VPN won't give you a magic cloak of invisibility. If the Astros have halfway decent intrusion detection systems (common practice in enterprise IT) they can see the VPN, and where it came from, but not the contents. Trying to hide the source can prevent the 'Astros from knowing it, the FBI otoh can trace it. That big fight over metadata and the NSA is exactly about the ability to trace such connections.
"on both sides"? What has Houston done, other than hiring a guy who obviously had been working with, or for, idiots?
On an organizational level, I would argue that ignorance of things like basic security re: all of your proprietary data is absolutely stupid. Ignorance and stupidity diverge in not knowing things that aren't really necessary to know. Not knowing crucial stuff that is required to maintain baseline competence at what you're doing, OTOH...
Agreed re: VPNs and invisibility. Wasn't my intention to give that impression, so my bad if I did. Using a VPN wouldn't have prevented the Astros from noticing that an intrusion was happening. I'm no expert, but as far as I'm aware there isn't really anything out there that will prevent an administrator from knowing that their network has been accessed. VPNs just provide an intermediary that can disguise where it's being accessed from. Sure, if the FBI gets involved you're ****ed either way, but in the far more likely event that the FBI doesn't get involved, it's pretty good protection considering the minimal amount of effort involved.
My 'on both sides' argument relates back to Houston's lack of security. I work for a pretty small company, but our data is one of our more valuable assets, so we put in place the basic precautions that you would expect of any company that's dealing with valuable data. One of those precautions is that, if someone wants to access the data warehouse from an offsite location, they must be logged in to the company VPN in order to do so. For people accessing the network legitimately, it's not a significant hurdle, but makes it pretty much impossible, for, say, a couple of low-level employees from a rival organization try to break in by guessing passwords. I'm sure we employ many other protections as well, that I'm either not aware of or only generally aware of. For example, we flat-out block IP access on a nationwide level in places where we know no legitimate access will be coming from. It's possible that the Astros do stuff like that, but given the far more basic steps that they apparently didn't take, I doubt it.
As a simpler alternative, two-factor authentication on access attempts from unrecognized devices is pretty standard these days. My financial accounts, utilities, and even Steam and Facebook have it. If the information contained there warrants this kind of protection, then surely the Astros' network does. And having it in place would Cardinals from gaining access, unless they also had access to Luhnow's phone or email. Again, a pretty minor step that's barely an inconvenience for people who are accessing your system legitimately, but the existence of which shuts down most of these kinds of attacks.
Fundamentally, if these organizations are going to take the time to build these huge repositories of data, with the stated purpose of creating a competitive advantage against their competitors, then taking data security seriously is not optional. It's an essential part of what they're trying to do, but they elected to overlook it. It's even dumber than Brandon Spikes failing to insure his Maybach.