Workday, a leading provider of human resources and financial management software, has confirmed that it fell victim to a data breach stemming from a social engineering attack targeting a third-party Customer Relationship Management (CRM) system. According to the company, the breach did not impact its customer tenants or the secure data therein; instead, the compromised system contained primarily “commonly available business contact information,” including names, email addresses, and phone numbers.
Threat actors initiated the breach through a coordinated social engineering campaign. They reached out to Workday employees via SMS or phone calls, impersonating internal HR or IT personnel. These attackers tricked employees into granting access or revealing personal details, allowing them to infiltrate the CRM platform, likely Salesforce-based, via malicious OAuth applications.
Commenting on the incident, Dray Agha, senior manager of security operations at Huntress, said, “This incident underscores three non-negotiable defences: Eliminate OAuth blind spots, and enforce strict allow-listing for third-party app integrations and review connections at regular intervals. Adopt phishing-resistant MFA: Hardware tokens are essential, as ‘MFA fatigue’ attacks remain trivial. A huge number of attacks begin with social engineering, users being deceived, and user enrolment in execution of malware – effective security awareness training is a must for any organisation that wishes to repudiate cyber attacks.”
Workday discovered the breach on August 6, 2025, and made the incident public on August 15 via a blog post. Upon identifying the breach, Workday promptly blocked unauthorised access and implemented additional safeguards across its systems. The company emphasised that its customer-facing environments remain uncompromised and urged stakeholders to remain vigilant against phishing and impersonation attempts, reminding users that official communications will never be made via phone requesting passwords or sensitive information.
Tim Ward, CEO and co-founder at Redflags, warned that even limited data can have a wider impact: “Workday’s warning is correct; any information that attackers can use to increase ‘familiarity’ in subsequent social engineering attacks will significantly increase their impact. Psychological effects like authority bias, cognitive ease, social proof, and the mere exposure effect mean we are more likely to trust communications from them and be less likely to check for or notice telltale signs of social engineering. A healthy scepticism combined with helpful security awareness nudges at the point of risk to help encourage caution can be critical to protect people in organisations from these threats.”
The methods used highlight how manipulative such campaigns can be. Boris Cipot, senior security engineer at Black Duck, explained: “Social engineering is a manipulative attack method that relies on psychology and social interaction skills to deceive victims into releasing sensitive information. Attackers trick victims into performing actions that aid in gaining access to sensitive information, often requiring multiple interactions and ‘internal’ information to appear legitimate.
To protect against social engineering, organisations should establish and enforce strict procedures for handling sensitive information, such as not providing information over the phone, even to high-ranking executives, including the CEO. Employees should be aware of these procedures and understand that they will not be penalised for refusing to provide information or assist someone impersonating a superior.
The victims of the data breach should be careful. Workday should remain cautious and be aware of potential scams, phishing attacks, and social engineering techniques. Although the breached information may be limited to commonly known business data in this case, individuals should still be vigilant to avoid falling prey to further attacks.”
This is not an isolated incident. Similar campaigns have targeted other high-profile organisations, including Google, Adidas, and Qantas. Jamie Akhtar, CEO and co-founder at CyberSmart, said the breach highlights how far social engineering has evolved: “This breach demonstrates two things. Firstly, given that Workday is the latest in a long list that includes Adidas, Qantas, Google, and Air France-KLM to be compromised in this way, it shows how effective and sophisticated social engineering campaigns have become. Targeting specific employees with a target business is a long way from traditional ‘spray and pray’ phishing campaigns.
Second, it highlights the need for every business to engage in proper, targeted cybersecurity awareness training. It’s very difficult to completely eliminate social engineering threats through technical means alone. After all, it only takes one staff member to be duped by a clever scam for the whole thing to come crashing down. Therefore, businesses need to focus on staff training. Training your people to be constantly on the alert for potential threats and to recognise them is the most effective way to counter social engineering.”
Darren Guccione, CEO and co-founder of Keeper Security, warned that third-party systems must be treated as part of the enterprise attack surface:
“The data breach impacting Workday is a perfect illustration of the persistent and evolving risk posed by social engineering tactics targeting third-party platforms. The situation is reflective of a troubling trend across enterprise software vendors, and it appears connected to a broader wave of recent attacks similarly targeting CRM systems at multiple global enterprises via sophisticated social engineering and OAuth-based tactics.
Even when primary systems remain intact, external integration points can serve as gateways for attackers. These third-party ecosystems often are not subjected to the same level of scrutiny and control as the internal environments.
Attackers will therefore impersonate HR or IT personnel via phone and text to trick individuals into granting access or divulging sensitive information. Although the data accessed may appear limited, it can subsequently fuel highly targeted phishing or bespoke social engineering schemes on customers by using their own personal data.
Organisations should therefore view third-party applications, vendor tools, and CRM systems as integral extension points of their own attack surface. They should restrict access to what is necessary, and implement Privileged Access Management (PAM), zero-trust architectures, and zero-knowledge approaches to limit exposure. They should require all partners and third-party platforms to undergo regular security assessments and continuous monitoring. Employees should be trained with frequent simulation testing in order to raise awareness. It’s also important that organisations deploy continuous monitoring and rapid response in order to flag and attend to any unusual access.
The Workday breach is not an isolated incident – it’s part of a broader, escalating digital threat landscape where malicious actors seek to exploit human trust, third-party tools, and misaligned legacy processes. Organisations must treat security as an enterprise-wide discipline, extending beyond the immediate perimeter, into every integration, every external vendor, and every employee interaction.”
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, reinforced that technical controls have limits: “Social engineering continues to be the most common way organisations get breached, for this very reason, that technical controls have their limitations. We currently don’t have effective ways for technology to screen and block phone calls in the same way that we can reduce some of the risk with emails. So, it’s important to not only educate people on these risks, but to empower them to say no to any suspicious requests that may come in and follow a separate, more secure process. There needs to be wider awareness raised as the information stolen can be used to craft convincing follow-on scams, which could be used as a foothold to an even bigger attack.”
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, added that companies need stronger internal processes: “Organisations like Workday need to put processes in place that will foil vishing calls like the ones that took down Workday. Companies need to train their employees and executives on how to recognise schemes like this, and provide ways to immediately contact IT when an attempt occurs. There should be security checklists put in place, requiring that they be completed before handing over any information or performing any actions that could be used to breach their servers.”
Finally, Chris Linnell, Associate Director of Data Privacy at Bridewell, cautioned that even seemingly low-risk breaches can escalate: “The recent disclosure by Workday regarding a breach of its third-party CRM platform has understandably raised concerns across the data protection and security community. On the surface, the impact appears to be low – primarily because the compromised data consists of business contact information, much of which is already publicly accessible. However, this should not lull organisations into complacency.
The real risk lies in the potential for targeted social engineering attacks. As seen in recent breaches involving high street chains like M&S, even seemingly innocuous contact details can be weaponised to craft convincing phishing or vishing campaigns. Workday customers and prospects should be particularly vigilant, as threat actors may exploit this data to impersonate Workday staff.
The good news is that Workday has confirmed the breach did not affect its core platform or customer tenant. This is a significant relief, especially given that Workday is widely used for HR and payroll processing, often involving sensitive and special category data. The confidentiality of employee data, such as health information, diversity metrics, and financial details, remains intact.
This incident underscores the ongoing need for robust employee training around social engineering. Traditional phishing simulations are no longer sufficient. Organisations must explore more creative and engaging methods to ensure that awareness messaging resonates and drives behavioural change.
Finally, the breach serves as a reminder of the importance of supply chain security. Organisations must ensure that their suppliers and partners embed strong controls across people, processes, and technology. As the saying goes, you’re only as strong as your weakest link.”
The Workday breach serves as a stark reminder that even when sensitive customer data is not directly exposed, attackers can still exploit seemingly benign information to launch more sophisticated campaigns. As experts agree, defending against these threats requires more than just technical safeguards; it demands a blend of rigorous employee training, resilient processes, and heightened scrutiny of third-party systems. With social engineering attacks growing in frequency and sophistication, organisations must treat every integration, every partner, and every employee as part of their security perimeter.
