Africa’s largest law firm, Edward Nathan Sonnenbergs Inc (ENS), has been held liable for cyber attack on its email leading to financial losses.

The gist of the case as reported by Africa Legal was that a property buyer, Judith Hawarden, had deposited R5.5 million into what she believed was the firm’s trust account.

ENS was the solicitors to the seller of the property appointed to handle the transaction, with the authority to receive balance payment for the property. Hawarden had paid the deposit required under the sale agreement and thereafter chose to pay the balance of the purchase price of R5.5 million by way of electronic transfer of funds directly into ENS trust account (‘the ENS account’) for the benefit of the seller pending registration of transfer. Accordingly, ENS sent Hawarden an email accompanied by a PDF document confirming the firm’s banking details.

It then happened that the email was intercepted and had been hacked. The PDF had been altered to change the banking details to the one controlled by the fraudsters. Unknown to Hawarden, she paid the money by electronic transfer into the fraudster’s account instead of the firm’s account. The money was never recovered.

Aggrieved, Hawarden sued ENS at the High Court of South Africa, Gauteng Division, Johannesburg [(13849/2020) [2023] ZAGPJHC 14]. It was found that the relevant emails did not contain any warning regarding the prevalence of business email compromise (BEC) and that depositors must be circumspect by double-checking before making deposits. Hawarden contended that ENS owed her a duty of care.

However, ENS, on its part, denied any liability. The firm argued that Hawarden ought to have acted with more diligence and not be negligent.

The Judge, Phanuel Mudau, held that ENS failed to safely communicate its bank details using technical safety measures and that Hawarden depended on ENS to act professionally. According to the Judge:

I have no difficulty in finding that the defendant’s banking details were financially sensitive information regarding this matter and needed to be treated as such. I have no difficulty in concluding that the risk of BEC was foreseen by ENS. ENS is undoubtedly an experienced conveyancer, which understood the risks inherent in conveyancing transactions…

The Judge concluded that the interests of society demand that a legal duty is recognised in this case.

This case therefore serves as a lesson to all law firms and of course to everyone to be extremely careful with email communications. 

Send this to a friend