The Hinckley, Leicestershire-based trade finisher was the target of a fraud carried out by unknown third-party hackers over the Halloween weekend in 2011 that resulted in it being invoiced for call charges totalling £29,631.50 for the month of October 2011.
The calls were made between 9:40pm on Saturday 29 October 2011 and 10:22am on Monday 31 October 2011 when the fraud was discovered. During that time 10,366 telephone calls were made, the majority of which were to a premium rate number in Poland.
Including a nominal £2 admin fee and VAT the total bill came to £35,560.20 compared with Frip's normal monthly bill of around £10 for the service, which group managing director Leslie Gibson said was used as a backup to its primary PBX telephone system.
There followed a two-and-a-half year legal battle, culminating earlier this month in a High Court Judgement clearing Frip Finishing of any liability for the fraud and awarding its legal costs in defending the claim brought by its VOIP telephone service provider Frontier Systems (trading as Voiceflex).
Voiceflex's claim was brought on the basis that Frip was in breach of contract for failing to "take all reasonable steps to secure its network, so as to prevent unauthorised access to [Voiceflex's] SIP trunks system" largely on the basis of "port 5060 on Frip's router" being left open, thereby allowing the hackers to gain entry.
This was refuted by Frip and as there was no evidence to show that the port had been left open prior to the attack, the judge (His Honour Judge David Grant) ruled that Frip was not in breach of contract, nor was it liable for the calls made by the third-party hackers.
Gibson warned that while Frip had successfully defended itself against Voiceflex's claim there was little protection to be had from Ofcom for businesses or charities that fall victim to this type of fraud and that VOIP service providers have since amended their terms such that users accept liability for any fraud.
"SIP fraud is estimated to be costing UK businesses more than £100m a year and it could be as much as credit card fraud," said Gibson. "Up to this point that cost has been borne by the victims. This case is the first to test Ofcom regulations and the judge did not come down on our side in that regard.
"The law appears to be at the moment that a telecomms company has the right to benefit from fraud and that seems wrong to me. If it was a credit card company I would expect them to take liability and to have responsibility for the detection and prevention of fraud.
"Ofcom's position places no requirement on the telecomms companies for the detection, prevention or liability in these types of fraud, and from a small business perspective - if you get hacked over the weekend, you're going to be out of business."
Gibson said he would be discussing the issue with his local MP as well as taking it up with Ofcom. He added that Frip no longer had a VOIP connection and said that the best way for companies to protect themselves would be to change the terms of their contact with their telecomms provider to implement spending limits and to restrict international calls to certain times.
"A SIP trunk is effectively an open credit card - I think most people are not aware of what they are buying or what the associated risk is."
