Mason Hayes Solicitors

Who are the Victims of Hackers?

In June this year in the case of Frontier Systems Limited t/as Voiceflex –v- FRIP Finishing Limited [2014] EWHC 1907 the Technology & Construction Court had to consider who was responsible to pay where hackers had infiltrated a telephone system and made over 10,000 international calls. 

Background to the claim

Voiceflex carried on a business providing telephony services over the internet and Frip carried on a business as decorative print finishers and was therefore the customer and/or end user.  One weekend in October 2011 Frip’s router was hacked and over 10,000 international calls were made to a premium telephone number in Poland.  Voiceflex raised an invoice in respect of those calls which totalled £35,560.20.  Frip refused to pay as it had not made the calls and a dispute therefore arose.    

The service

The service which Voiceflex provided was one whereby Frip was permitted to use Voiceflex’s system to transmit IP packets from Frip’s router to Voiceflex’s call server via the internet.  The process is often called “SIP trunk” within the industry. 

The claim

Voiceflex brought two claims.  The first being for the price of services supplied to Frip, and in the alternative, a claim for damages for breach of contract.  The alternative claim was based upon breaches of one express term and a number of implied terms which were as follows:

  1. Frip was not to divulge the router password and was to use all reasonable endeavours to keep it confidential and inaccessible to third parties;
  2. Frip was to take all reasonable steps to ensure that its networks were adequately protected from being accessed by unauthorised third parties; and
  3. Frip was to take all reasonable steps to ensure that any hardware installed by, or on behalf of, Frip was installed in such a manner that it was secure from access by unauthorised third parties. 

 The decision

 Claim for services

 The Court concluded that the proper construction of the contract was that Frip was only liable to pay for the cost of calls actually made.  It was therefore not the case that Voiceflex simply had to prove that it had made the service available to Frip in order to recover the costs of calls made, not by Frip, but by an unknown third party as a result of fraudulent activity.

What was detrimental to Voiceflex’s claim was the repeated reference in its terms and condition to “using” which lead the Court to conclude that the trigger for liability to pay was use of the service rather than the mere supply of the service.    

The Court then considered the question of use by an unknown third party rather than by Frip. The express term which confirmed an obligation on Frip not to divulge the password and to take reasonable steps to keep the password confidential was considered to be relevant.  The Court concluded that the inference that was to be drawn from that express term was that, if Frip complied with that obligation, it would not be liable for the cost of calls made by unknown third parties. 

The Court also took into the account the fact that Voiceflex had subsequently amended its terms and conditions so as to confirm that its customer would be liable to pay for calls made whether fraudulently or otherwise. 

Breach of Contract

As to the alternative argument, the Court accepted that the two implied terms outlined above were incorporated. However, the claim failed due to a lack of particularity and evidence in respect of the alleged breaches.  As to the allegation that Frip had not taken all reasonable steps to secure its network,  the Court found that Voiceflex had not put forward what Frip did, but should not have done; or conversely what Frip did not do, but should have done.  The claim therefore failed. 

Equally, and as to the allegation that Frip did not take all reasonable steps with regard to the password, the Court found that the allegation lacked any particularity and failed to allege what reasonable steps Frip should have taken to prevent such an event occurring.  It was suggested that the password strength was not sufficient being 8 digits, and it was submitted that the password could have been up to 20 digits.  The Court accepted the expert evidence that 8 digits was sufficiently strong and that in reality the number of digits was irrelevant as the software used to attack the password does not need to know how many digits.  

Finally, it was alleged by Voiceflex that Frip had left open port 5060.  It however failed to discharge the burden of proof and the Court concluded the port was not left open as alleged. 

General Condition 11

Frip attempted to defend the claim on a further ground.  That was that General Condition 11 prevented Voiceflex from raising an invoice in respect of the calls as the service had not in fact been provided to Frip. It was averred that the purpose of General Condition 11 was to place the risk of incurring the cost of calls fraudulently made by unknown third parties upon the service provider, as opposed to the end user. 

As the Court had already determined the matter as outlined above, the comments made were therefore obiter only.  The Court concluded that General Condition 11 simply meant that any bill rendered should be accurate. Moreover, that it was not intended to specifically address the situation where there had been fraudulent activity. 

Considerations for Service Providers

Hacking is now prevalent and service providers should be giving serious consideration to how such scenarios should be addressed when they arise but also how such situations can be prevented. It is important to ensure that what is decided is outlined clearly and concisely within the terms and conditions.    

In terms of prevention, it may be preferable to offer tools to enable the end user to secure the hardware and network which the end user has sole control over and is therefore solely responsible for.  Irrespective of whether the contract provides for the sole responsibility to lie with the end user, a pro-active approach should be considered by the service provider.  It is not commercially sensible for a network provider to simply rely on the end user and/or a re-seller to protect the systems against fraud.    

Voiceflex has, for example, introduced its own fraud detection application for its customers called Advanced Behavioural Based Analysis (“ABBA”) which monitors activity and can red flag, limit, block and/or  suspend activity.  Whilst this has been implemented as a standard feature of the service, Voiceflex has confirmed that many end users and re-sellers do not use the feature.  Voiceflex itself takes steps to attempt to access any apparent open ports and where an open port is found, it reports its finding to the client for immediate action to be taken.  

In terms of catering for when fraudulent activity occurs, it is important for service providers to review their terms and conditions in respect of their charges, whether that includes liability for any fraudulent activity and what triggers liability.  Equally it is important to undertake a review with regard to the obligations of the end user with regard to its hardware and network.  These obligations should be as specific as possible. 

If it is not the intention of the service provider to provide for the end user to be liable for fraudulent activity then it is going to be paramount to have rigid obligations as to what they must do to secure the network and hardware.  It should be made clear that should those obligations not be fully complied with, then the end user will become liable for any charges incurred by way fraudulent activity, as well as any other claims for damages for breach of contract.  If this approach is taken the onus should be squarely upon the end user to take steps to secure the network and hardware.   

This approach however carries risk for service providers.  They won’t be getting paid for any fraudulent activity and they have to place great trust in their customers in protecting against fraud when most do not appear to be taking the risk of fraud seriously.  The preferable approach would therefore be to charge for any fraudulent activity and place an obligation on the customer in respect of securing the network and hardware.  There is therefore an incentive for the end user to comply with the obligations to secure the network and hardware.  That is because if it does not then it will be footing the bill.  It is however advisable to offer an application or product to assist your customer in that regard or make recommendations in that regard.   

In any event, it is advisable to chat through with the end user at the outset of any contractual relationship what the position is regarding fraudulent activity and what steps are required with regard to securing the hardware and network.

If you require advice regarding a dispute that has arisen regarding charges incurred as a consequence of fraudulent activity then please contact Marcus Hayes, Head of Commercial Litigation.  Equally, should you require advice regarding your terms and conditions then please contact Karen Houghton, Head of Corporate.

Marcus Hayes & Jessica Eaton, Commercial Litigation, Mason Hayes Solicitors

Twitter Facebook

Mason Hayes Limited is authorised and regulated by the Solicitors Regulation Authority under registration number 537318. The professional rules relating to our services can be accessed on the Solicitors Regulation Authority website at Mason Hayes Solicitors and Mason Hayes are trading styles of Mason Hayes Limited which is a company registered in England and Wales under company number: 3401175. Our registered office is Siviter House, No 1 The Grange, Altrincham Road, Wilmslow, Cheshire, SK9 5ND. Our VAT number is 803 032 486. All rights reserved. Terms & Conditions. Privacy Policy
Mason Hayes