- ENSafrica failed in its duty of care when it failed to warn a house buyer about the threat posed by hackers, says a judge.
- Judith Hawarden lost her millions after hackers changed the bank account number in a PDF emailed by the law firm.
- Cyber security at ENS could have been beefed up for as little as R2,000 a month, witnesses told the Johannesburg high court.
- For more stories, go to www.BusinessInsider.co.za.
Africa’s largest law firm has been ordered to pay R5.5 million to a woman who fell victim to a syndicate that hacked her email during a property purchase.
The hackers changed the bank account number in a PDF emailed to Judith Hawarden by ENSafrica, which was handling the conveyancing of a Johannesburg house she was buying from its client.
Instead of landing in the law firm’s trust account, Hawarden’s money ended up in the account of one of the hackers, and swiftly disappeared.
After the discovery of the fraud, ENSafrica wrote to Hawarden demanding the money a second time, and she sued the bank for failing in its duty of care by negligently failing to warn her about the dangers of hacking or taking precautions to prevent it.
Three-and-a-half years later, the Johannesburg high court ruled in favour of Hawarden on Monday, ordering the firm to pay her R5.5 million plus interest and the costs and fees of two expert witnesses.
Judge Phanuel Mudau said even one of ENSAfrica’s own experts admitted in court that the firm could have done much more to avoid the fraud, and it could have cost as little as R2,000 a month to implement a technical solution.
“But for the negligent transmission of its account details and failure to warn Hawarden upfront of the inherent danger of business email compromise, she would not have suffered the loss,” he said.
“[ENS] was an expert conveyancer and was facilitating and managing the transaction. The risk of loss to Hawarden was highly foreseeable by ENS.”
Mudau dismissed the law firm’s argument that a ruling in Hawarden’s favour would expose all conveyancers to claims of the same kind by third parties with whom they have no relationship.
“ENS owed at least a general duty of care to … Hawarden,” he said. “[This] arose from the moment it accepted the brief to act as conveyancer in the transaction. [She] depended on [ENS] to act professionally.”
Even though evidence in court showed that in 2019 it was a “near-universal” practice for conveyancers to send their banking details by email, “it does not absolve [ENS] of its unsafe behaviour”.
The firm obviously knew better, said Mudau, because its trust account investment mandate – sent to Hawarden after she made the R5.5 million payment but before the fraud was detected – “contained several warnings about business email compromise and precautions to be taken against it”.
Mudau also made a punitive costs award against ENSafrica for including in its court files numerous documents from Hawarden’s laptop that had no relevance to the case, and for breaching agreements not to take copies of these documents when it had access to her computer during the discovery process. He said this was “egregious” behaviour.
Hawarden’s ordeal began when she divorced in 2019 and her husband gave her R6 million towards the purchase of a home as part of the settlement.
After deciding on a house in Forest Town, she paid a R500,000 deposit to Pam Golding Properties in May. Three months later, the hackers began to intercept her emails with ENS conveyancing secretary Eftyhia Maninakis, one of which had a PDF attachment with the firm’s bank account details.
She made the R5.5 million payment on August 22 from the Rosebank branch of Standard Bank. “The beneficiary bank, namely FNB, was unable to retrieve the misappropriated funds,” said Mudau.
ENS’s letter the following month requesting a replacement payment contained a warning urging Hawarden to telephonically verify the firm’s banking details before making the payment, and it emerged in court that this had been added in response to the August fraud.
Anton van ‘t Wout, an expert in digital forensics who testified on Hawarden’s behalf, gave a demonstration in court which Mudau said “showed the ease with which an email and PDF attachments could be spoofed and altered, the inherent insecurity of email, and alternative, safer ways of communicating sensitive information, including used a secure portal in conjunction with two-factor authentication”.
Attorney Mark Heyink, who specialises in IT law and organisational security safeguards, told the court that ENS’s witness statements revealed “inadequate awareness” among its staff of business email compromise.
When she testified, Maninakis said she did not know PDFs could be manipulated until Hawarden’s loss occurred, and Mudau said this showed her training and awareness of the dangers of hacking were “hopelessly inadequate”. ENS conveyancer Arshaad Carrim said he could not recall receiving training in cyber security.
“Viewed objectively, [Hawarden] cannot be faulted for placing her trust in [ENS], which she knew was a very large and reputable law firm,” said Mudau. “On her version, which I accept and cannot fault, she did not think she needed to seek advice as she was dealing with a law firm whose reputation went before it.
“Her case established clearly that sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal, or must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated. Secure portals were available in 2019 and would have averted the fraud.
“ENS is best placed to understand and prevent business email compromise. Individuals in society are generally not as well-placed to respond to the ever-evolving threat of cyber crime, which is sophisticated and technical in nature.”
In October 2021, the Mail & Guardian reported that Bukelwa Kwinana, Robert Asamoah and Thembani Maswanganyi appeared in the Johannesburg specialised commercial crimes court in connection with the Hawarden fraud. They faced charges of fraud, forgery, uttering and contravention of the Prevention of Organised Crime Act.