Workday has confirmed a recent data breach stemming from a social engineering campaign that successfully accessed personal contact information stored in a third-party CRM system. The attackers, believed to be linked to the hacking group ShinyHunters, used tactics like voice phishing to trick employees into granting access.
The breach is part of a broader wave of attacks affecting Salesforce-hosted databases used by major corporations.
While Workday emphasized that customer HR data housed in its core platform wasn’t compromised, critics noted the company has not confirmed whether customer-associated information was accessed, and its disclosure efforts have raised eyebrows.
Workday’s breach notification page was found hidden from search engines, leading to concerns about transparency in the company’s response.
Why It Matters: This breach is another showcase of third-party platform vulnerabilities and the increasing sophistication of phishing campaigns targeting major enterprise providers. With 70 million users relying on Workday’s technology, even limited contact data exposure can fuel large-scale social engineering attacks.
- Social Engineering Was the Breach Enabler: The attack relied on phishing techniques that involved impersonating trusted internal departments like HR or IT through phone calls and text messages. Employees were deceived into providing credentials or other sensitive access, showing how even well-resourced companies remain vulnerable to manipulation-based attacks that don’t rely on traditional malware or system exploits.
- Data Accessed Was Basic, But Useful: Workday confirmed that the stolen information included names, work email addresses, and phone numbers, details often viewed as low-risk in isolation. However, such data is a goldmine for threat actors conducting follow-up attacks, as it provides credible entry points for more convincing phishing campaigns or identity-based intrusions targeting both internal and external stakeholders.
- CRM Platform Breach Reflects Broader Pattern: While Workday didn’t disclose the third-party provider, cybersecurity analysts and recent incidents strongly suggest a Salesforce-hosted database may have been compromised, mirroring breaches at Google, Cisco, Qantas, and Pandora. These attacks show a tactical shift where hackers target high-value cloud platforms used by multiple enterprises rather than attacking companies one at a time.
- ShinyHunters Possibly Behind the Campaign: Security researchers suspect the hacking group ShinyHunters orchestrated this campaign, as they have previously used voice phishing (vishing) to infiltrate corporate systems. The group is also believed to be behind data extortion schemes involving the creation of leak sites where victims are threatened with public exposure unless they pay to have their stolen data deleted.
- Company Transparency Questioned After “Noindex” Tag Found: Although Workday issued a blog post acknowledging the breach, a “noindex” tag in the original HTML prevented the page from being indexed by search engines. This tactic significantly reduced its visibility online and has drawn criticism from cybersecurity professionals who argue that full transparency is essential for public awareness and industry-wide risk mitigation.
Go Deeper -> Protecting You From Social Engineering Campaigns: An Update From Workday – Workday
HR giant Workday says hackers stole personal data in recent breach – TechCrunch
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
