Hacking: Who is at fault?
Tom* had his internet and email account with a telecommunications provider for many years. He was also in the process of building a house. He got an email from his builder that had an invoice attached for an amount in excess of $40,000. He received what appeared to be a duplicate email and invoice the next day. He duly paid the second invoice and was surprised when his builder called him several weeks later to find out what was holding up the payment.
After extensive investigation, it turned out that Tom had been hacked. In a sophisticated scam, the scammer(s) sent a fraudulent invoice the day after Tom received the legitimate one. Tom paid the fraudulent invoice instead of paying his builder. There was no explanation or understanding from any of the parties as to how the fraud was committed.
Tom came to TDR to complain, believing that his internet provider was at fault. He argued that the provider had failed to protect his email, and that it was guilty of negligence. The provider attempted to resolve the issue but was unsuccessful.
TDR assigned the case to one of its dispute resolution practitioners. Tom and his provider attempted to mediate the complaint with the practitioner’s help first, but they were not able to reach an agreement. The practitioner then adjudicated the matter and issued a decision.
The adjudicator noted that there was clear evidence that a criminal act was committed by hacking Tom’s email. However, there was no evidence that the provider participated in the fraudulent activity or that the provider breached the Consumer Guarantees Act by not using reasonable care or skill in maintaining the security of Tom’s email account. As there was no breach of the Consumer Guarantees Act, the customer’s complaint was not upheld.
*Names have been changed to protect our customers’ identities