In a “man in the middle” attack, a fraudster positions themselves between two targets. The fraudster intercepts and sometimes alters the data exchanged by the targets to further other crimes. Unfortunately, these attacks are all too common in today’s online economy and they are becoming more sophisticated with the advent of GenAI. Perhaps the most prevalent form of man in the middle attack sees the interception of email communications between parties to a contract. At the crucial moment, the fraudster, who has been lurking in the middle of the correspondence, changes beneficiary bank account details, ensuring the diversion of any funds to themself. Practically, the party to the contract which has been tricked into transferring its funds to the wrong beneficiary is going to find it difficult (or impossible) to recover them from the fraudster. This may prompt the victim to look elsewhere, including to the contract. In Logix Aero Ireland Ltd v Siam Aero Repair Company Ltd [2026] EWCA Civ 510, the Court of Appeal dismissed Logix’s argument that its loss was caused, not by the man in the middle, but by Siam Aero’s breach of a confidentiality clause.
Summary
In an all-too-familiar story, fraudsters inserted themselves into the contractual negotiations between Logix and Siam Aero for the purchase of two aircraft engines. The fraudsters procured that payment was made to an account in their control. The money had left the account by the time the fraud was discovered. Of note, there was no evidence that either party’s IT systems had been compromised, nor that either party had been responsible for the leak. There was also evidence that Logix’s automated system had notified the recipient of an email from the fraudster that he did not “often get email from [the email address falsely purporting to be that of the Siam Aero representative]”, but the recipient had not spotted the subtle change in the email address.
The letter of understanding (“LoI”) between the parties contained a confidentiality clause providing that the LoI contained commercially sensitive information which was to be held confidentially and neither party should disclose it to any third party (subject to the usual caveats). The only claim still pursued by Logix on appeal was that their loss had been caused by Siam Aero’s breach of the binding confidentiality clause in the LOI.
The legal principles
Chitty on Contracts (36th ed, 30-077) states that a voluntary act of a third person intervening between the breach of contract by the defendant and the loss suffered by the claimant will normally “break the chain of causation”. Leading on from this, Phillips LJ referred to three principles that were engaged on the facts of the case:
-
- Effective cause: As a matter of “causation”, the intervention of a third party may entail that the breach of contract is not the “effective” or “dominant” cause of the loss, but merely the opportunity or occasion for the loss. Phillips LJ noted that the intervention of the fraudsters occurred before any assumed breach of contract by Siam Aero, so the fraud was in fact the cause of Siam Aero’s assumed breach as well as an intervening and independent cause after the breach. Siam Aero’s assumed breach was one of a number of necessary stages in the fraud, brought about by the fraudsters as part of their overall fraudulent scheme which depended for its success on Logix being deceived and making payment to the wrong account. Phillips LJ considered this a clear case of Siam Aero’s assumed breach of contract being part (and only part) of the opportunity for the fraud rather than the cause of the fraud.
-
- Scope of duty: Loss caused by the intervention of a third party may not be regarded as the type or kind of loss in respect of which the contract breaker had assumed responsibility. Logix focussed its arguments on the judgment in London Joint Stock Bank Limited v Macmillan and Arthur [1918] AC 777 in which a partner in a firm signed a cheque (made out to the firm or to bearer) which had gaps in the amount of the cheque written in figures and no words in the space for writing the amount in words. A clerk at the firm fraudulently inserted numbers and words to increase the amount shown on the cheque and cashed it at the firm’s bank. The firm claimed a declaration that the bank was not authorised to debit its account with the amount of the altered cheque. The House of Lords rejected the claim, holding that the firm was in breach of the duty it owed to the bank to take care in drawing the cheque, the alteration of the cheque being the direct result of that breach. Phillips LJ held that the first instance judge had been right to distinguish Macmillan: The confidentiality clause in the LoI was primarily concerned with protecting the parties from commercial damage by reason of their documents and information falling into the hands of competitors. There was no hint that it imposed a special duty to protect the other party from being deceived by fraudsters.
-
- Remoteness: Loss caused by the intervention of a third party might not be regarded as arising “in the usual course of things” as a result of the breach of contract. In the circumstances, Logix’s loss was too remote.
Practical consequences
Although in this case the High Court and Court of Appeal distinguished Macmillan, it is foreseeable that, in future, victims of man in the middle attacks may well be able to bring themselves within the scope of duty principle. For instance, money managers, who are responsible for the conservation of their customers’ funds and who are an obvious target for man in the middle attacks, could find themselves liable for a negligent failure to implement reasonable cybersecurity measures.
And finally, one cannot talk about this case without giving kudos to the efforts of Sarah Gabriel and Paul Johnson, who represented Siam Aero at first instance and on appeal. Any errors in this piece should not be attributed to them!
