02 September 2025

Workday has disclosed a data breach resulting from attackers exploiting a third-party Customer Relationship Management (CRM) platform through social engineering tactics.

The company confirmed that no customer core systems or tenant data were compromised, with the information accessed limited to business contact details such as names, email addresses, and phone numbers.

Discovered on 6 August and publicly disclosed on 15 August, the breach involved malicious actors impersonating HR and IT personnel to deceive employees via SMS and phone calls. This enabled the attackers to gain access to the CRM system through compromised OAuth applications. Since the incident, Workday has taken steps to block unauthorised access, implemented additional safeguards, and urged stakeholders to remain alert against phishing and vishing attempts. The company emphasised that legitimate communications will never ask for passwords or sensitive information over the phone.

This incident follows a growing pattern of CRM-targeted breaches affecting major organisations like Google, Adidas, and Qantas, exposing the increasing risks associated with OAuth abuse and third-party integrations in enterprise environments.

Security experts warn that the breach underscores the persistent dangers posed by social engineering and the vulnerabilities introduced through third-party applications.