Only the authorised bank account holder could set up legitimate, enforceable direct debits.
For the Direct Debit Scheme each DDI (Direct Debit Instruction) must be signed by the Payer - CeannComhair's friend in this case.
If an Originator attempts to collect funds using a DDI that isn't signed by the Payer then the DDI isn't valid and the Payer couldn't be held responsible.
For the Direct Debit Plus Scheme each DDI (Direct Debit Instruction) the originator is obliged to "...verify the customer details, including identity details, bank account details, authority details (joint accounts, non-personal accounts, etc)...".
If an Originator attempts to collect funds using a DDI where they have not verified the customer (Payer) details then the DDI isn't valid and the Payer couldn't be held responsible.
That is not to say that there couldn't be an attempt to defraud CeannComhair's friend. But I don't think the risk is significantly greater because someone has details that are on the cheques - the same details that were on each of the legitimate previously issued cheques.