Workday Data Breach: CRM Attack Compromises Business Contact Information
Workday has reported a data breach resulting from attackers exploiting a third-party Customer Relationship Management (CRM) platform through social engineering tactics. The company confirmed that no customer tenant or core system data was compromised, with the exposed information limited to business contact details such as names, email addresses, and phone numbers. Discovered on 6 August and disclosed on 15 August, the breach involved attackers impersonating HR and IT staff to deceive employees via SMS and phone calls. This manipulation allowed access to the CRM through malicious OAuth applications. In response, Workday has blocked unauthorised access, implemented additional safeguards, and urged stakeholders to remain vigilant against phishing attempts. The company emphasised that official communications will never request passwords or sensitive data over the phone. This incident follows a series of similar breaches targeting CRM systems at companies like Google, Adidas, and Qantas, highlighting the increasing threat of OAuth abuse and the risks associated with third-party integrations.
Security experts have warned that this breach underscores the growing dangers posed by social engineering and third-party applications. Dray Agha, Senior Manager of Security Operations at Huntress, stated that the incident highlights three essential defences: eliminating OAuth blind spots, enforcing strict allow-listing for third-party app integrations, and regularly reviewing connections. He also stressed the importance of adopting phishing-resistant multi-factor authentication (MFA) and effective security awareness training to combat cyber-attacks. Tim Ward, CEO and Co-Founder at Redflags, noted the psychological risks of such attacks, explaining that any information attackers can use to create a sense of familiarity will significantly enhance their impact. He emphasised the need for a healthy scepticism and security awareness nudges to protect individuals within organisations. Boris Cipot, Senior Security Engineer at Black Duck, highlighted the manipulative nature of social engineering, which relies on psychological tactics to deceive victims into revealing sensitive information.
Categories: Data Breach, Social Engineering, Cybersecurity Measures
Tags: Data Breach, Social Engineering, CRM, OAuth, Phishing, Security Awareness, Third-Party Integrations, Malicious Applications, Customer Information, Cyber Attacks