SA law firm to pay R5.5m to house buyer who lost money after her emails with them were hacked

The case goes back to emails and attachments that were received by the plaintiff, Judith Hawarden, in August 2019, perpetrated by an unknown cyber-criminal. Picture: African News Agency(ANA)

The case goes back to emails and attachments that were received by the plaintiff, Judith Hawarden, in August 2019, perpetrated by an unknown cyber-criminal. Picture: African News Agency(ANA)

Published Jan 18, 2023

Share

Cape Town - A high court judge has awarded R5.5 million to a house buyer whose email accounts were hacked in a case of “business email compromise”.

The judge ruled that giant law firm ENS Africa had failed in its duty of care when it did not warn her about the threat posed by hackers.

He said ENS, which refers to itself as “Africa’s biggest law firm”, was now liable to pay the buyer the money calculated at the prescribed rate of 10.25% per annum from August 2019 to the date of payment.

Business email compromise, also known as email account compromise, is a sophisticated scam that targets both businesses and individuals who perform legitimate transfers of funds.

The case goes back to emails and attachments that were received by the plaintiff, Judith Hawarden, in August 2019, perpetrated by an unknown cyber-criminal.

The chain of events set in motion by the transmission and receipt of the emails led Hawarden to transfer the R5.5 million, which was the outstanding amount due in respect of her purchase of a house, into a fraudulent account, which she thought was the ENS bank account.

The money was part of R6 million received as part of the divorce settlement that Hawarden, now retired and a senior citizen, received from her former husband.

She used R500 000 as a deposit to realtor Pam Golding Properties to buy a house in Forest Town, a leafy Johannesburg suburb.

It was when she got in touch with the ENS conveyancing section that the hackers began to intercept her emails, one of which had a PDF attachment with the firm’s bank account details.

Judge Phanuel Mudau said: “The plaintiff’s case established clearly that sending bank details by email is inherently dangerous.

“So (it) must either be avoided in favour of, for example, a secure portal, or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated.”

Judge Mudau said secure portals were available in 2019, and would have averted the fraud.

He said the fact that large firms such as ENS chose not to use effective technologies and measures that were available and were used by smaller conveyancers was not a good enough excuse.

During the case it emerged that password protected email was contemplated by the ENS’s own acceptable use policy.

Experts called to testify agreed that there were other mitigating technologies available in 2019, which could have been implemented by ENS’s in-house IT personnel or which would have been outsourced at a cost of between R2 000 and R8 000 a month.

The judge said: “The precautions that the defendant (ENS) should have and could have implemented but failed to implement, would have prevented the fraud regardless of how or why the plaintiff’s email was hacked.”

He said that although Hawarden was not an ENS client, she was still in their care and vulnerable to risk.