Logix Aero Ireland Ltd v Siam Aero Repair Company Ltd [2025] EWHC 1283 (KB)
This case concerns the purchase of 2 aircraft engines by Logix Aero ("Logix"), a company based in Ireland, from Siam Aero Repair Company ("Siam"), based in Thailand. The sale was introduced to the defendant by Corentin Espitalier, the CEO of Sky Aeroservices SARL ("Sky Aero"), the French company providing the tear down services for the aircraft from which the engines were obtained. Representatives of Sky Aero were copied in to the parties' email correspondence.
The majority of the negotiations were carried out via email. As the terms of the sale & purchase agreement were being discussed, a fraudulent third party inserted themselves into the conversation using similar, but incorrect email addresses for the buyer and purchaser allowing the fraudster to act as an unseen middleman, controlling the conversation and stopping the parties to the transaction communicating with each other. The upshot was that the buyer, Logix, paid the purchase money to the fraudster on the basis of doctored invoices and this was only discovered when Siam complained it had not received payment.
The first access by the fraudster to the negotiation conversation was following a genuine email from Siam, but it was confirmed in forensic reports from Secretariat (instructed by Siam) and Kroll (instructed by Logix) that there was no evidence of either party's IT systems having been hacked or otherwise compromised, or that anyone connected to either party sent the email to the fraudster.
Kroll was not able to review Sky Aero's email system, having been informed by Sky Aero that the logs for the relevant months were missing. Although the judgment does not explicitly note this observation, an unanswered question sits over Sky Aero's emails as to whether they were hacked.
Initially Logix sought an interim seizure order of the engines in France after accusing Siam of fraudulently pocketing the money. Siam applied to strike out the claim and provided forensic evidence from Secretariat debunking Logix's allegations of fraud. Logix then filed amended particulars of claim which altered the crux of the claim from one alleging fraud to one in which Siam was accused of:
- Disclosing confidential information to the fraudster in breach of a confidentiality clause
- Providing apparent authority to the fraudster to act on its behalf when it reached the binding sale and purchase agreement. The apparent authority was said to arise from the principal (i.e. Siam) putting the agent (i.e. the fraudster) in a specific position carrying with it "usual authority".
The court struck out the claim, finding that no apparent authority could have been given by Siam to the fraudster to act as its agent and the concept has no application to circumstances where the parties believe they are dealing with each other. Further, even if there had been a breach of the confidentiality clause, this was not causative of the loss of purchase monies. The loss was caused by the communications from both sides and, primarily, the actions of the fraudster.
The court proceeded to award the Siam's costs on the indemnity basis thanks to Logix's initial unjustified allegations of fraud.
Relevance for victims of email fraud and cyber insurers
The circumstances of email interception leading to financial fraud will be very familiar to cyber insurers who frequently deal with "business email compromise" incidents, where by hackers obtain access to an insured's mailbox. While financial fraud does not always follow, business email compromised incidents do frequently appear to have this intention due to the targeting of accounting mailboxes and payment emails.
In circumstances where payment fraud does occur, a question often arises as to whether liability for the loss rests with the party whose emails were hacked, or whether it rests with the payor who ought to carry out due diligence checks on the recipient banking details.
The factual pattern, and legal liability, could also have implications as to whether a loss is covered by cyber insurance. If legal liability were to rest with the party whose emails were hacked, it is possible that a policy might insure the loss as under the third party liability cover. Otherwise, there may be no cover unless the paying party holds cyber insurance cover with explicit coverage/endorsement for financial losses arising out of email fraud.
Turning to the question of legal liability, this case is useful in that the courts recognised that Siam was not culpable in the fraud and had no liability. Key to this finding was the forensic evidence from Siam's forensic expert which confirmed that there was no evidence of its emails being compromised.
Similarly, Kroll confirmed that there was no evidence of compromise in respect of Logix's email environment. The elephant in the room appears to be the lack of logs to carry out an investigation into Sky Aero's email system. It is notable that Sky Aero was not named as a defendant, perhaps reflecting that the claimant felt that there was no viable cause of action for Sky Aero's legal responsibility for any compromise of its emails (if proven) or for the fraud.
In the absence of evidence to prove a security failure by the defendant, the argument raised by Logix that the fraudster was acting with the "apparent authority" of the defendant was ambitious and the court determined that it had no reasonable prospect of success.
The case highlights how important it is to carry out early forensic investigations following financial fraud related business email compromise incidents in order to identify which party, if any, was responsible for the email compromise (and indeed that a party was not responsible). Particularly where forensic logs have a limited lifespan. In the absence of compelling evidence that the payee suffered the security breach, a payor will continue to struggle absolve itself of responsibility for protecting itself against the fraud (for example by carrying out bank account verification checks). The financial losses, as this case shows, can be significant.
