International Cyber Expo International Cyber Expo
  • About Us
Friday, 17 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Workday Discloses Data Breach Following CRM-Targeted Social Engineering Attack

by The Gurus
August 20, 2025
in Featured
Data Breach Cyber attack code
Share on FacebookShare on Twitter

Workday, a leading provider of human resources and financial management software, has confirmed that it fell victim to a data breach stemming from a social engineering attack targeting a third-party Customer Relationship Management (CRM) system. According to the company, the breach did not impact its customer tenants or the secure data therein; instead, the compromised system contained primarily “commonly available business contact information,” including names, email addresses, and phone numbers.

Threat actors initiated the breach through a coordinated social engineering campaign. They reached out to Workday employees via SMS or phone calls, impersonating internal HR or IT personnel. These attackers tricked employees into granting access or revealing personal details, allowing them to infiltrate the CRM platform, likely Salesforce-based, via malicious OAuth applications.

Commenting on the incident, Dray Agha, senior manager of security operations at Huntress, said, “This incident underscores three non-negotiable defences: Eliminate OAuth blind spots, and enforce strict allow-listing for third-party app integrations and review connections at regular intervals. Adopt phishing-resistant MFA: Hardware tokens are essential, as ‘MFA fatigue’ attacks remain trivial. A huge number of attacks begin with social engineering, users being deceived, and user enrolment in execution of malware – effective security awareness training is a must for any organisation that wishes to repudiate cyber attacks.”

Workday discovered the breach on August 6, 2025, and made the incident public on August 15 via a blog post. Upon identifying the breach, Workday promptly blocked unauthorised access and implemented additional safeguards across its systems. The company emphasised that its customer-facing environments remain uncompromised and urged stakeholders to remain vigilant against phishing and impersonation attempts, reminding users that official communications will never be made via phone requesting passwords or sensitive information.

Tim Ward, CEO and co-founder at Redflags, warned that even limited data can have a wider impact: “Workday’s warning is correct; any information that attackers can use to increase ‘familiarity’ in subsequent social engineering attacks will significantly increase their impact. Psychological effects like authority bias, cognitive ease, social proof, and the mere exposure effect mean we are more likely to trust communications from them and be less likely to check for or notice telltale signs of social engineering. A healthy scepticism combined with helpful security awareness nudges at the point of risk to help encourage caution can be critical to protect people in organisations from these threats.”

The methods used highlight how manipulative such campaigns can be. Boris Cipot, senior security engineer at Black Duck, explained: “Social engineering is a manipulative attack method that relies on psychology and social interaction skills to deceive victims into releasing sensitive information. Attackers trick victims into performing actions that aid in gaining access to sensitive information, often requiring multiple interactions and ‘internal’ information to appear legitimate.

To protect against social engineering, organisations should establish and enforce strict procedures for handling sensitive information, such as not providing information over the phone, even to high-ranking executives, including the CEO. Employees should be aware of these procedures and understand that they will not be penalised for refusing to provide information or assist someone impersonating a superior.

The victims of the data breach should be careful. Workday should remain cautious and be aware of potential scams, phishing attacks, and social engineering techniques. Although the breached information may be limited to commonly known business data in this case, individuals should still be vigilant to avoid falling prey to further attacks.”

This is not an isolated incident. Similar campaigns have targeted other high-profile organisations, including Google, Adidas, and Qantas. Jamie Akhtar, CEO and co-founder at CyberSmart, said the breach highlights how far social engineering has evolved: “This breach demonstrates two things. Firstly, given that Workday is the latest in a long list that includes Adidas, Qantas, Google, and Air France-KLM to be compromised in this way, it shows how effective and sophisticated social engineering campaigns have become. Targeting specific employees with a target business is a long way from traditional ‘spray and pray’ phishing campaigns.

Second, it highlights the need for every business to engage in proper, targeted cybersecurity awareness training. It’s very difficult to completely eliminate social engineering threats through technical means alone. After all, it only takes one staff member to be duped by a clever scam for the whole thing to come crashing down. Therefore, businesses need to focus on staff training. Training your people to be constantly on the alert for potential threats and to recognise them is the most effective way to counter social engineering.”

Darren Guccione, CEO and co-founder of Keeper Security, warned that third-party systems must be treated as part of the enterprise attack surface:
“The data breach impacting Workday is a perfect illustration of the persistent and evolving risk posed by social engineering tactics targeting third-party platforms. The situation is reflective of a troubling trend across enterprise software vendors, and it appears connected to a broader wave of recent attacks similarly targeting CRM systems at multiple global enterprises via sophisticated social engineering and OAuth-based tactics.

Even when primary systems remain intact, external integration points can serve as gateways for attackers. These third-party ecosystems often are not subjected to the same level of scrutiny and control as the internal environments.

Attackers will therefore impersonate HR or IT personnel via phone and text to trick individuals into granting access or divulging sensitive information. Although the data accessed may appear limited, it can subsequently fuel highly targeted phishing or bespoke social engineering schemes on customers by using their own personal data.

Organisations should therefore view third-party applications, vendor tools, and CRM systems as integral extension points of their own attack surface. They should restrict access to what is necessary, and implement Privileged Access Management (PAM), zero-trust architectures, and zero-knowledge approaches to limit exposure. They should require all partners and third-party platforms to undergo regular security assessments and continuous monitoring. Employees should be trained with frequent simulation testing in order to raise awareness. It’s also important that organisations deploy continuous monitoring and rapid response in order to flag and attend to any unusual access.

The Workday breach is not an isolated incident – it’s part of a broader, escalating digital threat landscape where malicious actors seek to exploit human trust, third-party tools, and misaligned legacy processes. Organisations must treat security as an enterprise-wide discipline, extending beyond the immediate perimeter, into every integration, every external vendor, and every employee interaction.”

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, reinforced that technical controls have limits: “Social engineering continues to be the most common way organisations get breached, for this very reason, that technical controls have their limitations. We currently don’t have effective ways for technology to screen and block phone calls in the same way that we can reduce some of the risk with emails. So, it’s important to not only educate people on these risks, but to empower them to say no to any suspicious requests that may come in and follow a separate, more secure process. There needs to be wider awareness raised as the information stolen can be used to craft convincing follow-on scams, which could be used as a foothold to an even bigger attack.”

Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, added that companies need stronger internal processes: “Organisations like Workday need to put processes in place that will foil vishing calls like the ones that took down Workday. Companies need to train their employees and executives on how to recognise schemes like this, and provide ways to immediately contact IT when an attempt occurs. There should be security checklists put in place, requiring that they be completed before handing over any information or performing any actions that could be used to breach their servers.”

Finally, Chris Linnell, Associate Director of Data Privacy at Bridewell, cautioned that even seemingly low-risk breaches can escalate: “The recent disclosure by Workday regarding a breach of its third-party CRM platform has understandably raised concerns across the data protection and security community. On the surface, the impact appears to be low – primarily because the compromised data consists of business contact information, much of which is already publicly accessible. However, this should not lull organisations into complacency.

The real risk lies in the potential for targeted social engineering attacks. As seen in recent breaches involving high street chains like M&S, even seemingly innocuous contact details can be weaponised to craft convincing phishing or vishing campaigns. Workday customers and prospects should be particularly vigilant, as threat actors may exploit this data to impersonate Workday staff.

The good news is that Workday has confirmed the breach did not affect its core platform or customer tenant. This is a significant relief, especially given that Workday is widely used for HR and payroll processing, often involving sensitive and special category data. The confidentiality of employee data, such as health information, diversity metrics, and financial details, remains intact.

This incident underscores the ongoing need for robust employee training around social engineering. Traditional phishing simulations are no longer sufficient. Organisations must explore more creative and engaging methods to ensure that awareness messaging resonates and drives behavioural change.

Finally, the breach serves as a reminder of the importance of supply chain security. Organisations must ensure that their suppliers and partners embed strong controls across people, processes, and technology. As the saying goes, you’re only as strong as your weakest link.”

The Workday breach serves as a stark reminder that even when sensitive customer data is not directly exposed, attackers can still exploit seemingly benign information to launch more sophisticated campaigns. As experts agree, defending against these threats requires more than just technical safeguards; it demands a blend of rigorous employee training, resilient processes, and heightened scrutiny of third-party systems. With social engineering attacks growing in frequency and sophistication, organisations must treat every integration, every partner, and every employee as part of their security perimeter.

ShareTweet
Previous Post

Black Duck Debuts GitHub App to Automate Security Scans at Scale

Next Post

Keeper Security Launches Biometric Login with Passkeys

Recent News

AI Appreciation Day: Security Leaders Say the Celebration Needs an Asterisk

AI Appreciation Day: Security Leaders Say the Celebration Needs an Asterisk

July 16, 2026
Q&A: Businesses Are Running Out of Time to Prepare for the Quantum Threat, Warns Moona Ederveen-Schneider

Q&A: Businesses Are Running Out of Time to Prepare for the Quantum Threat, Warns Moona Ederveen-Schneider

July 15, 2026
Proton Launches Business Continuity Service to Keep Firms Communicating Through Outages

Proton Launches Business Continuity Service to Keep Firms Communicating Through Outages

July 15, 2026
Forescout Uncovers AI Assisted Phishing Campaign Using Fake eCards

Forescout Uncovers AI Assisted Phishing Campaign Using Fake eCards

July 14, 2026

Eskenzi PR banner ad

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol