Workday Data Breach Linked to Widespread Salesforce Attacks

Workday, one of the business world's most widely used HR platforms, has revealed that it has experienced a significant data breach this month, with the data of its 11,000 corporate customers and 70 million individual users now potentially exposed.

The company has confirmed that threat actors successfully accessed its business contact information including names, phone numbers and email addresses stored within the compromised database.

The breach was first discovered on 6 August, though the company has not specified exactly when the unauthorised access to its data occurred.

This attack follows on from a concerted campaign of cyberattacks directed at Salesforce, whose CRM platform Workday uses regularly.

Recent victims of similar attacks also include technology giants Google and Cisco, as well as the airline Qantas and the jewellery retailer Pandora.

Targeting third-party software providers appears to be a new tactic for cybercriminals which gives them access to huge swathes of data and information.

"SaaS and CRM platforms aren’t side projects, they are prime targets," explains Tina McGriff, Information Security Analyst at AMN Healthcare. "If they’re not on your audit radar, you’re already behind."

Google has attributed these coordinated breaches to ShinyHunters, a cybercriminal group specialising in voice phishing techniques that are especially effective at manipulating corporate employees.

The hackers employ sophisticated social engineering tactics, typically contacting staff members and impersonating IT or HR personnel to coerce them into revealing sensitive credentials or system access codes.

Some industry insiders question whether it is the efficacy of the attackers' methods, or the inadequacy of the companies' defences that have led to the recent slew of cybercrime.

Charles Mazarura, Cyber Security Engineer at NFP Europe, asks: "Are these incidents a testament to the increasing sophistication of phishing tactics, or do they highlight gaps in organisational training and awareness?"

Limited customer data exposure claimed

Workday maintains that customer tenant data has remained secure throughout the incident.

"There is no indication of access to customer tenants or the data within them," the company states in its breach notification.

"We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future."

However, the company has not confirmed whether it possesses sufficient technical logging capabilities to definitively establish what information may have been exfiltrated.

Workday also declined to specify the number of individuals affected or clarify whether the stolen data relates to company employees or customer contacts.

Concerns over transparency and disclosure practices

Security researchers have raised questions about Workday's approach to breach disclosure following the discovery of deliberate search engine restrictions.

The company's official breach notification contains hidden "noindex" tags within its source code, effectively preventing search engines from cataloguing or displaying the page in results.

This technical implementation makes it significantly more difficult for affected parties or security researchers to locate the breach announcement through standard web searches.

Workday has provided no explanation for implementing these search visibility restrictions on its data breach disclosure.

Implications for targeted social engineering campaigns

Security experts warn that the compromised business contact information could facilitate subsequent social engineering attacks against affected organisations.

"The information obtained by the attackers may be useful for other social engineering attempts," Workday acknowledges in its statement.

The stolen data provides cybercriminals with verified contact details and organisational hierarchies that can enhance the credibility of future phishing attempts.

This intelligence gathering approach has become increasingly prevalent among cybercriminal groups seeking to establish trust with potential victims before launching more sophisticated attacks.

The broader Salesforce-targeting campaign demonstrates the effectiveness of focusing on widely-used business platforms rather than attempting to compromise individual company systems directly.

For industry experts like Josh Moulin, who is the founder of the American cybersecurity firm Natsar, businesses need to be more aware of cyberattacks up and down their supply chain.

"If threat actors are targeting your vendors, they’re targeting you," he explains.

"Assume exposure, act accordingly."