A $925,000 Wake-Up Call: How One MSP Got Dragged Into a Nightmare He Didn’t Cause

If you’ve been in the MSP business long enough, you’ve had this type of “client.”

Not really a client. Not really not. The kind who doesn’t want your stack. Doesn’t want to be managed. Doesn’t believe in layered security or recurring services.

But they do want you on speed dial. They’ll pay for help when the pressure is on—when the server is down, when Outlook won’t sync, when there’s smoke coming out of the firewall.

This MSP had one of those.

They called it “on-demand IT consulting.” Hourly work. No monthly invoice. No stack. Just a check when something needed fixing. And when something went horribly wrong—when their systems were breached—they called him.

So He Did What Any Decent Human Would Do

He helped. He didn’t try to upsell them mid-crisis. He didn’t say, “Well, since you’re not on the plan…” He rolled up his sleeves and got to work. He pulled critical data they needed to operate. He worked side by side with their team. He helped the forensic investigators dig into what happened.

What They Found Was Worse Than Anyone Expected

The breach wasn’t just noise. It wasn’t ransomware-for-show. The attackers had been inside.

One of the non-client’s employees had set up an unencrypted database. No logging. No controls. No nothing. And it was full of personally identifiable information. Names. Emails. Social Security numbers. All of it. Just sitting there, wide open.

Guess what the attackers grabbed?

Yep. A full copy.

Now you might think, “Okay, that’s awful, but it’s their mess. The MSP wasn’t managing that database. He wasn’t in charge of their infrastructure.”

Hold onto that thought.

Then They Asked the Next Question: How Did the Hackers Get In?

Turns out, they exploited a Citrix zero-day. One of those lovely little vulnerabilities that no one even knew about until attackers started weaponizing it. And before you get clever—the Citrix system had already been patched.

Didn’t matter.

The zero-day was live before the patch dropped. The attackers had a head start, and they used it well. This is the part where security engineers get angry. Because we know patching isn’t enough. We know defense in depth is the only thing that matters. We know zero-days don’t play fair.

But this business didn’t have defense in depth. They didn’t have security controls that tied back to standards. They had a SOC, well actually two of them. But they didn’t see anything. Two of the same solution does not equal defense in depth.

They weren’t on the stack. They didn’t have layered controls.

So when the front door got kicked in, there was nothing to slow the attackers down.

What Came Next? A Breach Notification. Then a Feeding Frenzy.

The business did the right thing. They told their clients. “We had a breach. PII may have been accessed. We’re sorry.”

And that’s when the sharks started circling.

The attorneys smelled blood in the water. They found angry customers. They filed a class action lawsuit. Total damages? $7.25 million.

And our MSP?

The consultant. The helper. The guy who came in after the breach to pick up the pieces?

He got hit for $925,000.

Let me say that again: Nine hundred and twenty-five thousand dollars.

Why? Because the lawyers couldn’t easily draw a clear line between what he was responsible for… and what he wasn’t. Remember that line has to be so simple a third grader can understand it. And when there’s no simple clear line, you’re in the blast radius.

This Is the Moment You Wake Up in a Cold Sweat

You’ve been there before. The “non-client” asks for a favor. They need help. They promise it’s “just a quick thing.” And you’re human. You want to help. So you say yes.

But when the subpoenas start flying, your kindness doesn’t matter.

Your intentions don’t matter.

Only evidence does.

• Evidence that shows what services you provided—and what you didn’t.
• Evidence that proves what you recommended.
• Evidence that documents what they declined.
• Evidence that they weren’t on your stack and weren’t your responsibility.

This MSP? He didn’t have that—not in a way a court or an insurer would accept.

And that’s how “helping out” turned into a $925,000 invoice.

He’s Telling This Story—On Stage at Galactic Universe

This guy isn’t hiding. He’s going to stand on the stage at Galactic Universe and tell the entire story. And not just the horror story.

He’s going to share:

• What worked
• What blew up in his face
• What he does now to make sure this never happens again
• And the one move that made his insurance company stand beside him—instead of walking away like so many do when claims get murky

This isn’t a theory session. This isn’t a checklist.

This is raw, real, and unfiltered. It’s the kind of session that saves MSPs before they find themselves holding the bag.

You Have Two Weeks. And Only 21 Seats Left.

Galactic Universe is almost here.

If you’re still doing hourly work, still helping out non-clients, still treating documentation as optional—this session is the bucket of cold water you didn’t know you needed.

You’ve got 14 days to sign up. And there are only 21 seats left.

If you’re smart, you’ll grab one.

Because the next breach won’t wait. The next lawsuit won’t care. And the next time a non-client calls for help, you’ll remember this story.

Register now—because your $925,000 lesson shouldn’t come after the fact.