SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Illustration computer screen connected business contacts data breach warning symbols
#
CRM
#
Data Protection
#
PAM

Workday breach exposes business contact data via CRM attack

Thu, 21st Aug 2025
Author image
By Sean Mitchell, Publisher

Workday has disclosed a data breach after attackers exploited a third-party Customer Relationship Management (CRM) platform through social engineering tactics.

The company confirmed that no customer tenant or core system data was affected, with the exposed information limited to business contact details such as names, email addresses and phone numbers.

The breach, discovered on 6 August and disclosed on 15 August, involved attackers impersonating HR and IT staff to trick employees via SMS and phone calls. This enabled access to the CRM through malicious OAuth applications.

Workday said it has since blocked unauthorised access, introduced additional safeguards, and urged stakeholders to remain vigilant against phishing attempts. The company stressed that official communications will never request passwords or sensitive data over the phone.

The incident follows a wave of similar CRM-targeted breaches affecting companies including Google, Adidas and Qantas, underscoring the growing threat of OAuth abuse and the risks associated with third-party integrations.

Expert reaction

Security experts have warned that the breach highlights the growing risks posed by social engineering and third-party applications.

Dray Agha, senior manager of security operations at Huntress, said:
"This incident underscores three non-negotiable defences: Eliminate OAuth blind spots and enforce strict allow-listing for third-party app integrations and review connections at regular intervals. Adopt phishing-resistant MFA: Hardware tokens are essential, as 'MFA fatigue' attacks remain trivial. A huge number of attacks begin with social engineering, users being deceived, and user enrolment in execution of malware - effective security awareness training is a must for any organisation that wishes to repudiate cyber-attacks."

Tim Ward, CEO and co-founder at Redflags, noted the psychological risks of such attacks:
"Workday's warning is correct; any information that attackers can use to increase 'familiarity' in subsequent social engineering attacks will significantly increase their impact. Psychological effects like authority bias, cognitive ease, social proof, and the mere exposure effect mean we are more likely to trust communications from them and be less likely to check for or notice telltale signs of social engineering. A healthy scepticism combined with helpful security awareness nudges at the point of risk to help encourage caution can be critical to protect people in organisations from these threats."

Boris Cipot, senior security engineer at Black Duck, emphasised the manipulative nature of such attacks:
"Social engineering is a manipulative attack method that relies on psychology and social interaction skills to deceive victims into releasing sensitive information. Attackers trick victims into performing actions that aid in gaining access to sensitive information, often requiring multiple interactions and 'internal' information to appear legitimate. To protect against social engineering, organisations should establish and enforce strict procedures for handling sensitive information, such as not providing information over the phone, even to high-ranking executives, including the CEO."

He added: "Although the breached information may be limited to commonly known business data in this case, individuals should still be vigilant to avoid falling prey to further attacks."

Jamie Akhtar, CEO and co-founder at CyberSmart, said training is crucial:
"This breach demonstrates two things. Firstly, given that Workday is the latest in a long list that includes Adidas, Qantas, Google, and Air France-KLM to be compromised in this way, it shows how effective and sophisticated social engineering campaigns have become. Secondly, it highlights the need for every business to engage in proper, targeted cybersecurity awareness training. It's very difficult to completely eliminate social engineering threats through technical means alone."

Third-party risk

Darren Guccione, CEO and co-founder of Keeper Security, warned that integration points remain vulnerable:
"The data breach impacting Workday is a perfect illustration of the persistent and evolving risk posed by social engineering tactics targeting third-party platforms. The situation is reflective of a troubling trend across enterprise software vendors, and it appears connected to a broader wave of recent attacks similarly targeting CRM systems at multiple global enterprises via sophisticated social engineering and OAuth-based tactics."

He added that organisations must "require all partners and third-party platforms to undergo regular security assessments and continuous monitoring".

Javvad Malik, lead security awareness advocate at KnowBe4, said:
"Social engineering continues to be the most common way organisations get breached, for this very reason, that technical controls have their limitations. We currently don't have effective ways for technology to screen and block phone calls in the same way that we can reduce some of the risk with emails."

Chris Hauk, consumer privacy advocate at Pixel Privacy, called for stronger internal processes:
"Organisations like Workday need to put processes in place that will foil vishing calls like the ones that took down Workday. Companies need to train their employees and executives on how to recognise schemes like this and provide ways to immediately contact IT when an attempt occurs."

Chris Linnell, associate director of data privacy at Bridewell, highlighted the importance of supply chain security:
"The recent disclosure by Workday regarding a breach of its third-party CRM platform has understandably raised concerns across the data protection and security community. On the surface, the impact appears to be low – primarily because the compromised data consists of business contact information, much of which is already publicly accessible. However, this should not lull organisations into complacency. The real risk lies in the potential for targeted social engineering attacks."

He concluded: "This incident underscores the ongoing need for robust employee training around social engineering. Traditional phishing simulations are no longer sufficient. Organisations must explore more creative and engaging methods to ensure that awareness messaging resonates and drives behavioural change. Finally, the breach serves as a reminder of the importance of supply chain security. As the saying goes, you're only as strong as your weakest link."

Related stories
Flare sees rapid MSSP uptake of external threat intel
Palo Alto revamps NextWave to reward AI security platforms
Chainguard hits 500m container manifests with AI boost
DigiCert sees record UltraDNS DDoS surge in December 2025
Arctic Wolf named Chubb’s preferred MDR cyber partner

Top stories

Siemens unveils virtualised substation protection platform
Cayosoft, XMS to bolster US War Department identity
Sygnia uncovers global law firm recovery scam network
Guardsquare buys Verimatrix XTD to boost mobile security
Acronis extends Manchester City data protection deal