Everything we know about the Workday data breach so far

(Image credit: Getty Images)

Workday has confirmed a data breach after threat actors gained access to a third-party customer relationship management (CRM) platform.

In a blog post on Friday, the HR tech giant said hackers gained access to sensitive information hosted on the affected CRM system, but insisted no customer tenants – or the data contained within – were accessed.

Information exposed in the breach primarily included contact details such as names, email addresses, and phone numbers, the company revealed.

“We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform,” the company stated in its advisory.

“There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future.”

Given the nature of the information exposed in the breach, Workday warned customers to be wary of potential social engineering campaigns in the wake of the incident.

“It’s important to remember that Workday will never contact anyone by phone to request a password or any other secure details,” the firm said. “All official communications from Workday come through our trusted support channels.”

Kevin Marriott, senior manager of cyber and head of SecOps at Immersive, said this is a typical tactic observed in the aftermath of a data breach.

“This information is then used in subsequent social engineering attempts, or combined with other data already collected to make future social engineering attempts even more personalized, using the data captured," he said.

Workday data breach the latest CRM-based incident

While Workday didn’t specifically identify the CRM system affected in the breach, the news comes in the wake of a string of Salesforce-based attacks on enterprises globally.

Threat intelligence research shows that the ShinyHunters threats group has conducted a wide-reaching campaign targeting Salesforce users in recent months.

Companies impacted in the campaign are believed to include Qantas, Allianz Life, Adidas, and several other retail brands worldwide.

Similarly, Google recently confirmed it had been attacked as part of the campaign. The discovery came after threat researchers at the tech giant investigating the ShinyHunters group realized it too had fallen victim.

The social engineering campaign involves duping employees into linking a malicious OAuth app to the target company’s Salesforce instances.

Once access to an impacted database has been achieved, threat actors are then able to access, query, and exfiltrate sensitive information from customer environments, according to Google’s blog post detailing the campaign.

Marriott noted that CRM tools are a popular target for threat actors, largely due to the volume of useful information hosted on these platforms.

“CRM tooling is often a key target for threat actors as they typically store limited, but valuable information that threat actors can either use themselves or sell on, with databases full of information that is useful such as email addresses and other personal information,” he said.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.