Johannesburg - Problems keep mounting for South Africa’s largest law firm ENSafrica after the court found that it is responsible for failing to prevent a cyber attack that led to a property buyer losing millions.
This was after the Johannesburg High Court ordered ENSafrica to pay R5.5 million to a victim of a syndicate that hacked her email when she was buying a house in Forest Town, Johannesburg, in 2019.
Judge Phanuel Mudau ruled that ENSafrica should compensate the victim, Judith Hawarden, with an amount of R5.5 million, plus interest. He also ordered the firm to pay the legal costs of the lawsuit on a punitive scale.
Judge Mudau found that ENSafrica neglected to warn Hawarden of the known risk of business email compromise (BEC), known as hacking.
He also found the law firm failed to take the necessary safety precautions designed to safeguard against the risk of harm occasioned by BEC.
This resulted in the correspondence between Hawarden and the law firm, which was handling the conveyancing of the house from its client, being intercepted.
As a result, instead of the money being transferred to ENSafrica’s trust account, it ended up in the account of the fraudsters and disappeared.
After the discovery of the fraudulent activities, the law firm called Hawarden to make payment for the second time, which resulted in her taking legal action against ENSafrica for failing to warn her about the dangers of BEC or taking precautions to prevent it.
“The evidence at trial established that the defendant (ENSafrica) was aware of the risks of BEC prior to the fraudulent incident and that it had failed to warn the plaintiff (Hawarden) of the risks of email and PDF manipulation or of precautions that could be taken against BEC prior to the plaintiff effecting electronic payment.
“Further, the defendant had control over the way in which it conveyed its bank account to the plaintiff – in an unprotected PDF attachment to an email transmitted to the plaintiff – while technically safety measures, among others, multi-channel verification (in-person or telephonic confirmation of the bank details) were available to be employed by it to avert cyber fraud,” said Jusge Mudau.
The suspects – Bukelwa Kwanina, Robert Asamoah, and Thembani Maswanganyi – appeared in the Johannesburg Specialised Commercial Crimes Court in connection with fraud perpetrated against Hawarden. They face charges of fraud, forgery, uttering, and contravention of the Prevention of Organised Crime Act.
Hawarden’s ordeal began when she divorced in 2019, and her husband gave her R6 million to purchase a home as part of the settlement. The purchase price was R6 million and she paid a R500 000 deposit to Pam Golding Properties in May 2019.
The hackers began to intercept her emails with ENSafrica conveyancing secretary Eftyhia Maninakis, one of which had a PDF attachment with the firm’s bank account details.
Hawarden transferred the R5.5 million on August 22, from Standard Bank in Rosebank to an FNB account.
“On August 23, Ms Maninakis sent to Ms Hawarden an investment mandate to be signed. The investment mandate contained several warnings about BEC and precautions to be taken against BEC.
“However, this was after the payment had been made, but before the fraud was discovered. The plaintiff's money was withdrawn during the period between her effecting payment by EFT and her becoming aware of the fraud.
“The beneficiary bank into which the outstanding amount was transferred, namely FNB, was unable to retrieve the misappropriated funds,” Judge Mudau said.
After the mistaken payment to the fraudsters’ account, in late September 2019, ENSafrica sent a statement of account and its banking details for Hawarden to make a second payment.
At the foot of the statement was a warning urging Hawarden to telephonically verify its banking details before making any payment.
The warning, which was absent when Hawarden transferred the R5.5 million, was added in response to fraud.
During her testimony, Maninakis said she did not know that PDFs could be manipulated until the incident of Hawarden occurred, and Judge Mudau said this confirmed that her training and awareness of BEC was hopelessly inadequate.
Her colleague Arshaad Carrim said he could not recall attending training or an induction about matters of cyber security from ENSafrica.
“Viewed objectively, the plaintiff (Hawarden) cannot be faulted for placing her trust in the defendant who she knew was a very large and reputable law firm.
“On her version, which I accept and cannot fault, she did not think she needed to seek advice as she was dealing with a law firm whose reputation went before it.
“I have no difficulty in finding that the defendant’s banking details were financially sensitive information regarding this matter and needed to be treated as such. I have no difficulty in concluding that the risk of BEC was foreseen by ENSafrica.
“In my view, the plaintiff’s case established clearly that sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated,” said Judge Mudau.
He added: “The interests of the defendant, as well as that of society, demand that a legal duty is recognised in this case.
“ENSafrica is best placed to understand and prevent business email compromise. Individuals in society are generally not as well-placed to respond to the ever-evolving threat of cybercrime, which is sophisticated and technical in nature.”
Hawarden told the court that ENSafrica accessed her computer and obtained her personal information and documents in the run-up to the trial.
She said the information included Vodacom cellphone records from January 2019 to December 2019, her bank account with Nedbank, and the correspondence between her and her lawyers during her divorce process.
She told the court that she could not understand the relevance of those records. Judge Mudau said it was inexcusable for ENSafrica to have done so. This alone, warrants a punitive costs order.
ENSafrica is also in trouble with its client Umsobomvu Coal in its fight for mining rights against Transasia that opened three criminal cases against the two.
Last year, Transasia opened a case against ENSafrica for encouraging Umsobomvu Coal owner, Hector Kunene, to take pictures using drones on its premises with the consent of the company’s owners, Luda Roytblat and Mathews Phosa.
ENSafrica was also accused of encouraging Kunene to obtain Transasia’s confidential documents in its application to appeal against the mining rights licence. The information included trading records, financial statements, and scientific and technical reports.
Last week, Transasia opened a criminal case against ENSafrica and Umsobomvu for committing corporate espionage by trespassing on Transasia’s premises illegally and unlawfully obtaining the company’s information.