When the consultant becomes the target: Lessons from the Credera cyberattack

In late September 2025, news broke that Credera — a boutique consulting and technology advisory firm — was breached, with sensitive information tied to its clients was exposed. These weren’t just any clients. Credera works with heavyweights such as Mercedes and AT&T.

The incident underscores a critical and growing threat vector: Cyberattackers are increasingly targeting partners, consultants and supply-chain vendors as a pathway to reach larger, more secure organizations. For managed service providers (MSPs) and enterprises alike, the Credera affair is a cautionary tale.

Credera is a global boutique consulting firm that operates in the domains of strategy, transformation, AI, data and technology. Reports indicate that attackers claimed to have stolen data related to high-profile clients such as Mercedes, AT&T, Green Dot, Myze and Spectrio.

Among the allegedly compromised assets were internal documents, infrastructure configuration files, SSL certificates, private keys, API keys, source code and GitHub projects. Some leaked materials also appeared to include confidential client communications and sensitive project data.

In short, this breach may have exposed not only Credera’s internal systems, but also the architectures and secrets of the enterprise clients it serves, potentially giving threat actors valuable intelligence to launch secondary attacks.

This incident illustrates a broader pattern in the threat landscape. Attackers increasingly seek to exploit the relationships and technical access of consulting firms and service partners to move laterally into more valuable corporate targets.

When you think of cyber risk, your mind might jump to large enterprises — banks, utilities, major tech firms. But many attackers view smaller organizations, including consultants, managed service providers (MSPs), system integrators, and subcontractors, as more accessible “stepping stones” to reach those big-name clients.

Here’s why:

1. Trusted access and privileges Partners and consultants often maintain privileged access to core systems, databases, development environments and APIs. A breach exposes not just the vendor, but everything that vendor touches.
2. Credential reuse and shared secrets Service providers frequently use shared credentials, tokens and automation scripts across multiple customer environments. Compromise one, and the rest may follow.
3. Smaller security budgets Many partners lack the security maturity or budgets of large enterprises. They may rely on a patchwork of tools or legacy systems, which attackers easily exploit.
4. Weak link in the chain Even if a large organization is well-defended, attackers often find easier entry through its partners. Once inside, they can pivot to high-value systems or snoop on communications and IP flows.
5. Intellectual property exposure Consultants often store sensitive code, architecture diagrams and strategy documents. If stolen, attackers gain a blueprint of their clients’ environments.

For MSPs, this reality is especially relevant. Their clients trust them to manage security, backups, access management and even application deployment. A single weak link can create cascading risk across the entire client base.

For MSPs, the challenge is delivering robust protection to multiple clients at scale without overwhelming overhead or having to juggle multiple disconnected tools. That’s where Acronis Cyber Protect Cloud comes in.

It natively integrates backup, disaster recovery, cybersecurity and endpoint management into one agent and one console with a single point of management. With AI-based behavioral detection, ransomware protection, anti-malware defenses, vulnerability assessments and forensic backup capabilities, MSPs can secure their clients proactively and efficiently.

By consolidating multiple capabilities into a single platform, MSPs reduce vendor sprawl, training overhead, and alert fatigue. In the context of the Credera incident, an MSP leveraging Acronis could ensure that:

• Secrets, configuration files and code artifacts are continuously backed up and protected.
• Endpoint threats are detected early before data is exfiltrated.
• Vulnerabilities are patched proactively.
• In the event of a breach, recovery is rapid, forensic data is preserved and attackers cannot persist undetected in backups.

With Acronis Cyber Protect Cloud, MSPs can deliver enterprise-grade defense — without enterprise-grade complexity.

For businesses seeking to protect themselves, Acronis Cyber Protect also delivers a natively integrated cybersecurity and data protection platform.

Rather than stitching together separate antivirus, backup, endpoint detection and response (EDR) and patching tools, Acronis Cyber Protect brings them together in a single architecture and point of control. This ensures that every layer of defense shares threat intelligence, eliminating blind spots and reducing response time.

Key capabilities include:

• Real-time threat protection with AI-based behavioral detection.
• Safe recovery to clean and patch systems after ransomware events.
• Forensic backup to preserve evidence for investigations.
• Continuous data protection (CDP) for minimal data loss.
• Vulnerability assessment and patch management to shrink the attack surface.

By centralizing all these functions, Acronis helps businesses create true defense-in-depth, ensuring that even if a partner or consultant is compromised, their internal systems remain resilient and protected.

The Credera incident is just the latest reminder that even trusted advisors can become attack vectors. Acronis Cyber Protect and Acronis Cyber Protect Cloud unify protection, automate defenses, and close every gap, combining data protection and cybersecurity in one platform to stop attacks before they spread and recover quickly and safely when they do.