Workday confirms breach but rules out access to HR records

Human resources technology provider Workday has confirmed that hackers gained access to a third-party customer relationship management (CRM) system, but stressed that its core HR databases were not affected.

In a blog post published on 15 August and titled “Protecting You From Social Engineering Campaigns”, the Nasdaq-listed firm said attackers used phone and text-based social engineering tactics to impersonate HR or IT staff and trick employees into sharing access credentials.

Workday said the breach allowed threat actors to obtain “some information” from the CRM platform, consisting largely of business contact details such as names, email addresses, and phone numbers. The company warned this information could be used to mount further phishing or impersonation scams against individuals and organisations.

“The type of information the actor obtained was primarily commonly available business contact information, like names, email addresses, and phone numbers, potentially to further their social engineering scams,” Workday said.

No access to HR records

Workday emphasised there was no indication that customer tenants — the secure environments where corporate clients store employee records and HR data — were accessed. “There is no indication of access to customer tenants or the data within them,” the company said in its disclosure.

The firm added it had acted “quickly to cut the access” once the intrusion was discovered and introduced “additional safeguards” to prevent similar attacks.

It also reminded customers that Workday will never contact them by phone to request passwords or other sensitive information, stressing that all official communications are issued through trusted support channels.

The incident places Workday among a growing list of large enterprises targeted by social engineering attacks, which rely on manipulating employees rather than exploiting technical flaws.

Over the past year, hackers have increasingly used voice phishing (“vishing”) and SMS lures to infiltrate corporate systems. Similar campaigns have recently affected companies with Salesforce-hosted databases, including Google, Cisco, Qantas and retailer Pandora, where attackers accessed large volumes of customer records and in some cases attempted extortion.

Workday did not disclose which third-party CRM platform was breached, how many individuals were affected, or whether it has the forensic ability to determine what data was exfiltrated.

Although the data exposed in Workday’s case was limited to contact details, the breach highlights the risks facing vendors in the human capital management (HCM) sector. Platforms like Workday handle highly sensitive information such as payroll, benefits and personnel records, making them attractive targets for cybercriminals.

Even if core HR systems remain secure, experts warn that stolen contact details can be leveraged in follow-on phishing and impersonation attacks, raising the likelihood of deeper intrusions.

Workday said its Security and Trust team continues to monitor the situation and has issued guidance for customers on how to identify potential phishing attempts.