Using another person’s password to get into a computer network might not seem like a big deal. But try tell that to a federal judge who just sentenced a former executive from the St. Louis Cardinals to 46 months in prison for using a password to prowl around another team’s player records.
The sentence, which came down on Monday, will also require 36-year-old Christopher Correa to pay $279,038.65 in compensation to the Houston Astros for spying on confidential analytics data in 2013 and 2014.
The penalties stem from charges under the Computer Fraud and Abuse Act (CFAA), a law that punishes unlawful access to computers, but that critics say is often used by prosectors in the case of relatively minor transgressions.
Get Data Sheet, Fortune’s technology newsletter.
Earlier this month, the unauthorized use of passwords was the focus of a high profile appeals court decision, and led a dissenting judge to say the CFAA risked making criminals of millions of Americans for engaging in ordinary behavior.
In the case of Correa, though, his behavior went beyond something ordinary, like borrowing someone’s Netflix password. As the legal complaint explains, Correa obtained the password for a laptop used by a departing employee Cardinals, and used it to guess a password used by the employee at his new job.
The departing employee’s new job was at the Houston Astros and Correa used the password to get into the employee’s email account, and into a software program called Ground Control, which MLB teams use to track and analyze player statistics.
Sharing Your Netflix Password Now Makes you a Federal Criminal
Correa’s unauthorized window into the Astros operations allowed him to obtain sensitive information about strategy and trade discussions.
Nonetheless, it’s worth asking if this snooping was a serious enough offense to justify sending Correa to prison for four years and forcing him to pay a quarter million dollars.
Correa also apologized and called his behavior reckless, which would normally help obtain a more lenient sentence. But U.S. District Judge Lynn Hughes was having none of it.
How to Punish a Hacker? Federal Prosecutors Go Too Far in Matthew Keys Case
“You have made it harder for them to live their lives…. [Y]ou intentionally and knowingly did these acts,” said Hughes, who sits in the Southern District of Texas.
Judges also found a CFAA violation in another closely-watched decision last week, involving “unauthorized access” to Facebook. Members of Congress recently tried to rewrite the law, but the effort fell short.
