Workday, a provider of enterprise cloud applications for finance and HR, confirmed it was targeted by a **sophisticated social engineering campaign** via a third-party CRM platform. Threat actors used impersonation tactics (phone calls/texts posing as HR/IT) to deceive employees into surrendering credentials, leading to unauthorized access to the CRM system. The breach exposed **business contact information** (names, emails, phone numbers)—data commonly available but used to fuel further scams. Workday clarified that **no customer data, proprietary systems, or tenant environments were compromised**. The company terminated the unauthorized access, reinforced security measures, and emphasized employee training to mitigate future risks. The incident underscores the vulnerability of third-party vendors and human error in cybersecurity defenses.
Source: https://cybersecuritynews.com/workday-data-breach/
TPRM report: https://www.rankiteo.com/company/workday
"id": "wor411081825",
"linkid": "workday",
"type": "Breach",
"date": "8/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'None (Customer Data/Tenants '
'Unaffected)',
'industry': ['Enterprise Cloud Applications',
'Finance',
'Human Resources'],
'location': 'Pleasanton, California, USA',
'name': 'Workday, Inc.',
'size': 'Large (Enterprise-Level)',
'type': 'Corporation'}],
'attack_vector': ['Phishing (SMS/Phone Calls)',
'Impersonation (HR/IT Personnel)',
'Credential Harvesting'],
'customer_advisories': ['Customers were directed to Workday’s Security and '
'Trust webpage for updates.',
'Reminder: Workday will never request passwords or '
'secure details via phone.'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': ['Names',
'Email Addresses',
'Phone Numbers'],
'sensitivity_of_data': 'Low (Publicly Available or Easily '
'Obtainable)',
'type_of_data_compromised': ['Business Contact Information']},
'description': 'Workday, a leading provider of enterprise cloud applications '
'for finance and human resources, confirmed it was targeted by '
'a sophisticated social engineering campaign. The attack '
'resulted in unauthorized access to a third-party Customer '
'Relationship Management (CRM) platform, exposing commonly '
'available business contact information (e.g., names, email '
'addresses, phone numbers). The incident did not compromise '
'Workday’s core systems, customer data, or tenant '
'environments. Threat actors impersonated HR/IT personnel via '
'text messages or phone calls to deceive employees into '
'surrendering credentials. Workday terminated the unauthorized '
'access, reinforced security awareness, and implemented '
'additional protective measures.',
'impact': {'brand_reputation_impact': 'Potential Erosion of Trust (Mitigated '
'by Transparent Disclosure)',
'data_compromised': ['Business Contact Information (Names, Email '
'Addresses, Phone Numbers)'],
'identity_theft_risk': 'Low (Limited to Business Contact Info)',
'operational_impact': 'Minimal (No Core Systems or Customer Data '
'Affected)',
'systems_affected': ['Third-Party CRM Platform']},
'initial_access_broker': {'entry_point': 'Third-Party CRM Platform (via '
'Compromised Employee Credentials)',
'high_value_targets': ['Employee Credentials',
'Business Contact '
'Information']},
'investigation_status': 'Resolved (Unauthorized Access Terminated; Additional '
'Security Measures Implemented)',
'lessons_learned': ['Human element remains a critical vulnerability in '
'cybersecurity.',
'Third-party vendors can serve as attack vectors for '
'breaching primary targets.',
'Social engineering tactics (e.g., impersonation via '
'phone/SMS) are increasingly sophisticated.',
'Proactive employee training and awareness are essential '
'to mitigate phishing risks.'],
'motivation': ['Data Theft for Further Social Engineering',
'Credential Harvesting'],
'post_incident_analysis': {'corrective_actions': ['Terminated unauthorized '
'access to the CRM system.',
'Enhanced employee training '
'on social engineering '
'tactics.',
'Implemented additional '
'security measures (details '
'undisclosed).',
'Reinforced communication '
'policies to prevent '
'credential harvesting.'],
'root_causes': ['Successful social engineering '
'attack exploiting human trust.',
'Inadequate verification of '
'unsolicited communication '
'(phone/SMS).',
'Potential gaps in third-party '
'vendor security controls.']},
'recommendations': ['Enhance employee training programs to recognize and '
'report social engineering attempts (e.g., phishing, '
'impersonation).',
'Implement multi-factor authentication (MFA) for all '
'critical systems, including third-party platforms.',
'Regularly audit third-party vendor security practices '
'and access controls.',
'Reinforce communication policies (e.g., never request '
'passwords via phone/SMS).',
'Monitor dark web/underground forums for signs of stolen '
'credentials or exposed data.',
'Adopt behavioral analytics to detect anomalous access '
'patterns in real-time.'],
'references': [{'source': 'Workday Official Statement',
'url': 'https://www.workday.com/en-us/company/trust/security-trust.html'}],
'response': {'communication_strategy': ['Public Disclosure',
'Customer Reassurance via Trusted '
'Channels',
'Security Awareness Reinforcement'],
'containment_measures': ['Terminated Unauthorized Access to '
'Third-Party CRM'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'remediation_measures': ['Enhanced Security Awareness Training',
'Additional Security Controls']},
'stakeholder_advisories': ['Workday reassured customers that no proprietary '
'data or tenant environments were compromised.',
'Emphasized the importance of verifying '
'communication channels before sharing sensitive '
'information.'],
'title': 'Workday Social Engineering Campaign Leading to Third-Party CRM Data '
'Breach',
'type': ['Social Engineering', 'Data Breach', 'Third-Party Vendor Compromise'],
'vulnerability_exploited': 'Human Error (Lack of Awareness/Training)'}