Debt Recovery Firm

How a nation-state breach at a 20-person firm exposed the hidden risk of underinvestment – and what Manawa did about it.

The Client

The client is a small but established Ontario-based debt recovery firm. At the time of onboarding, the organisation had approximately 15 employees and handled sensitive consumer financial records on behalf of one of Canada's largest national brands. The client had no dedicated IT function, relying instead on a part-time individual who was moonlighting alongside a full-time role elsewhere. To make matters worse, they were operating entirely on consumer-grade hardware and infrastructure.

The Challenge

The firm's leadership had never considered themselves a likely target for a cyberattack. With just 15 employees and no high-profile brand of their own, the assumption was simple: why would anyone bother with us?

That assumption overlooked a critical detail: the firm's value to an attacker had nothing to do with the business itself. It was all about who they were connected to. As a debt recovery partner for a major national brand, the firm held sensitive financial records on thousands of Canadian consumers, including individuals in financial distress. That data made them a high-value supply chain entry point for threat actors looking to identify and potentially recruit vulnerable individuals as intelligence assets.

Meanwhile, the firm's IT environment offered very little resistance. Years of underinvestment had left them running consumer-grade equipment – essentially the kind you'd pick up at any retail store, not technology designed to protect sensitive data. There was no proactive monitoring, no formal security controls, and minimal logging in place. The part-time IT support they relied on was enough to keep the lights on but offered no visibility into what was actually happening inside their network.

The firm didn't know they had a problem, because they simply had no way of knowing.

The Solution

Shortly after Manawa began working with the firm, the situation escalated beyond a routine IT engagement. The firm's principal received contact from a government intelligence agency, which had been actively tracking a nation-state actor operating inside the firm's network. An agent visited Manawa's office to request cooperation, seeking logs, access records, and environmental data to support the investigation.

The reality was sobering. Because of years of underinvestment, there was very little to hand over. Minimal logging meant limited visibility into the scope of the breach, and the consumer-grade infrastructure offered almost no forensic trail. Manawa worked closely with the agency, providing whatever information the environment could yield, but the experience underscored just how exposed the firm had been.

From there, Manawa led a full transformation of the client's IT environment. This included replacing consumer-grade hardware with enterprise-appropriate infrastructure, implementing proper monitoring and logging across all systems, establishing security controls proportionate to the sensitivity of the data handled, and building an ongoing managed services relationship with proactive oversight.

Beyond the immediate remediation, Manawa developed a strategic technology roadmap to bring the firm's overall IT maturity to a level befitting an organisation that handles sensitive financial data on behalf of a major national brand – ensuring the firm would never again be in a position where it couldn't see what was happening in its own environment.

The Results

The firm's IT environment today bears no resemblance to what Manawa inherited. What was once a consumer-grade setup with no visibility and no defences is now a fully managed, proactively monitored environment built to enterprise standards.

Full environmental visibility: Complete logging and monitoring across all systems, meaning that if a similar event were to occur, the firm would have full forensic evidence and the ability to respond immediately.

Enterprise-grade security controls: Protection proportionate to the sensitivity of the financial data handled on behalf of major clients, replacing the consumer-grade infrastructure that left the firm exposed.

Scalable growth: The business has grown from 15 to 25 employees, with technology infrastructure that has scaled alongside it without creating new vulnerabilities or gaps.

Supply chain confidence: The firm can now respond to vendor risk assessments and security questionnaires from larger clients with confidence, protecting the relationships that drive their revenue rather than putting them at risk.

Proactive partnership: The days of hoping they were too small to be noticed are over. The firm operates with the assurance that comes from knowing exactly what's happening in their environment – and having a partner watching it around the clock.

Key Takeaways

• Your size doesn't determine your risk – your clients do
• Underinvestment creates invisible risk
• Supply chain security is now a business qualification
• "It couldn't happen to us" is the most expensive assumption in IT

If your business handles data for, or connects to, larger organisations, you inherit their threat profile. Attackers look for the weakest link in the chain, and that's often the smaller partner.

Consumer-grade technology and part-time IT support may feel "good enough" – until there's an incident. And when that incident comes, a lack of logging and controls means you can't even assess the damage, let alone respond to it.

Larger organisations increasingly require their vendors and partners to demonstrate cyber security maturity. The firms that can't answer those questionnaires confidently risk losing the relationships that drive their revenue.

This firm wasn't targeted for who they were. They were targeted for who they worked with, and the data they had access to. If your business holds sensitive information (even on behalf of someone else), you're a target whether you realise it or not.