So you’ve been hacked

E-Briefs | Dispute Resolution

  • So you’ve been hacked image

Email hacking incidents are on the rise, and we are seeing an increase in disputes over who should bear the loss when a bank transfer does not reach the intended recipient. Last month the ACT Civil and Administrative Tribunal (ACAT) dealt with this very issue, finding that payment to an incorrect bank account does not satisfy the debt—even if the bank account details appear to have been legitimately sent. On the ACAT’s reasoning, the person making the payment bears the obligation of ensuring the money is going to the right place.

The hacking incident between DRB and Canberra Hydraulics

The Trustee for the DRB Group ACT Trust v Canberra Hydraulic Engineering Services Pty Ltd (Civil Dispute)1 involved proceedings commenced by a trustee company trading as RapidCleanDRB and DRB Equipment Repairs (DRB) against the company trading as Canberra Hydraulics (Canberra Hydraulics). DRB had agreed to supply some machinery to Canberra Hydraulics, the price for which was $5,499.

The next day Canberra Hydraulics received an email from ‘SALES AccountRight@apps.myob.com’ which stated:

Dear Customer:

Our banking details have changed please ensure your records are now updated to reflect the information listed on your attached invoices

Please contact us immediately if you are unable to detach or down you Invoice. Thank you

This email attached an invoice containing bank account details, but they were not DRB’s bank account details. Canberra Hydraulics transferred the invoiced amount to the bank details specified in the invoice.

Canberra Hydraulics then communicated to DRB that the money had been paid and sought to arrange a time to collect the machine. DRB did not, however, receive the funds. It advised Canberra Hydraulics that the invoice had not been generated by DRB, and the bank account was not its bank account. DRB agreed to release the machine to Canberra Hydraulics, on the basis that Canberra Hydraulics supplied a cheque for the purchase price, and DRB agreed not to bank that cheque until the matter had been investigated with Canberra Hydraulics’ bank.

Canberra Hydraulics contacted its bank and sought to stop the payment, but the bank could not retrieve the funds. DRB then sought to bank the cheque Canberra Hydraulics had given as security to collect the machine, but the cheque bounced.

Both parties conducted an investigation into their computers and software systems. MYOB sent an email to DRB in which it advised that an email had been sent by DRB’s MYOB system with the legitimate invoice and the correct bank details, and it was MYOB’s view that Canberra Hydraulics’ email account had been breached, with the result that the invoice was intercepted and changed by a fraudulent third-party.

DRB then commenced proceedings to recover $5,499, the price of the machine.

How did the ACAT determine responsibility for the lost money?

DRB argued that, based on the email from MYOB which asserted that the hacking had occurred at the Canberra Hydraulics end, Canberra Hydraulics was responsible. The ACAT did not agree that the MYOB email was credible expert evidence as to the source of the hacking but said ultimately it does not matter whose system has been breached.

The ACAT approached the matter simply as a debt claim (which is how it was raised by DRB). That is, it was enough for DRB to assert the debt, and it was up to Canberra Hydraulics to prove the debt had been discharged. The fact that Canberra Hydraulics may have a claim against the recipient of the payment to recover the mistaken payment was not relevant to the current proceedings.

The ACAT compared the situation to that of a cheque that had been written and then lost in the mail—the debt is not extinguished until the funds are paid to the correct place. (Of course, there is a key practical difference—where a cheque is lost in the mail it can be easily cancelled and replaced and the sender is not out of pocket.)

Key takeaways

Although Canberra Hydraulic had no reason to question the legitimacy of the invoice and account details received, the ACAT’s view is that it bore the responsibility for ensuring the transfer it made went to the right place.

It is worth bearing in mind that the ACAT is a statutory tribunal rather than a court, and its decisions are not binding as precedent. Whilst this decision is an indication of the approach that may be taken in comparable cases, it is possible that in a claim where significantly more is at stake the parties may well obtain comprehensive expert evidence as to the precise source of the security breach, and more complex arguments may become relevant. The contractual arrangement between the parties may also be relevant, as it may in fact deal with the allocation of the risk of fraud.

This decision serves as a timely reminder for businesses and consumers in the era of frequent cyber fraud to take steps to reduce the risk of an email scam causing the loss of money.

Our 5 step plan for avoiding cyber fraud losses

  1. Review your terms of trade to make sure they are current and address modern issues, such as cyber fraud.
  2. Verbally confirm bank account details before making any payment to an unverified bank account. Do this with someone you have previously dealt with in the organisation—do not just call the number on the email you have received, as it may also be fraudulent!
  3. Check your terms of service with your bank, and your insurance policies, to ensure you understand whether, and in what circumstances, they will make good a loss you suffer as a result of a hacking incident.
  4. Practice good IT management, by ensuring that:
    • All your devices are regularly patched and updated.
    • You have a proper antivirus or other security measures such as firewalls to protect your systems and network.
    • Two factor authentication is used across all your platforms i.e. banking, social media, VPN, mygov etc
    • Change your passwords regularly and do not reuse across multiple platforms.
    • Carry out internal cyber security audits by engaging security professionals where possible.
  5. Train your teams to be cyber aware, and regularly send them security reminders and information regarding the latest threats. Some useful government websites to monitor for scam information include CERT AU and Scamwatch.

How can we help?

We can assist you by reviewing your terms of trade, or advising you on actions you can take to recover an outstanding debt or resolve a dispute about payment.

If you have any questions about anything contained in this eBrief, please get in touch. MV Law has Dispute Resolution experts who would love to help you.

1 [2022] ACAT 30.