Human capital management (HCM) software giant Workday has disclosed a data breach affecting its third-party CRM System.
“We recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform,” the company stated.
Upon learning of the cyber incident, Workday said it disconnected the impacted system to deny the threat actor further access. The HCM giant also implemented additional security measures to prevent similar incidents in the future.
Third-party CRM system data breach impacts Workday’s client information
Workday also launched an investigation that determined that the attacker had exfiltrated “commonly available” business information, specifically the names, phone numbers, and email addresses.
“CRM tooling is often a key target for threat actors as they typically store limited, but valuable information that threat actors can either use themselves or sell on, with databases full of information that is useful, such as email addresses and other personal information,” warned Kevin Marriott, Senior Manager of Cyber and Head of secOps at Immersive.
While not particularly sensitive, the leaked details could enable the threat actor to expand their voice phishing attacks and target Workday clients’ employees.
“This information is then used in subsequent social engineering attempts, or combined with other data already collected to make future social engineering attempts even more personalised, using the data captured,” added Marriott.
However, the threat actor did not access Workday clients’ extensive human resources data, which was stored in a separate system. That data could typically include employees’ most intimate details, such as criminal background information and health records.
“There is no indication of access to customer tenants or the data within them,” the company asserted.
The nature of the data breach also suggested that Workday’s internal systems were not compromised, as the attack was constrained to the third-party CRM System.
While Workday did not attribute the data breach to any cyber gang, it linked it to an ongoing social engineering campaign, which other victims have linked to ShinyHunters targeting a Salesforce CRM system.
“In this campaign, threat actors contact employees by text or phone pretending to be from human resources or IT. Their goal is to trick employees into giving up account access or their personal information,” Workday explained.
Numerous organizations impacted by ShinyHunters’ cyber attack
So far, the campaign has impacted over a dozen organizations, including Google. Other confirmed or apparent victims of the ShinyHunters’ vishing attacks include LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co., French Luxury giant Chanel, German fashion colossus Adidas, American insurance company Allianz Life, and the Danish jewelry maker Pandora.
Networking gear manufacturer Cisco also disclosed that it was the victim of a data breach targeting an undisclosed third-party CRM system, which bore the hallmarks of the Salesforce vishing attack.
While the attacks do not exploit any product vulnerabilities, they leverage the weakest link in any security program, the human element.
“The successful attack methodology is not technically sophisticated, relying on classic social engineering and voice phishing,” Marriott continued.
According to Google, the attackers trick employees into authorizing a rogue OAuth bulk data import application on their organizations’ Salesforce portal.
Upon gaining access, the threat actors export the organization’s most critical information they can access and demand a ransom to avoid leaking the stolen data online.
Google assessed that ShinyHunters threat actors were in the process of developing a data leak site to further pressure victimized organizations into paying the ransom.
Meanwhile, the Workday third-party CRM system data breach occurred hot on the heels of another employee data leak affecting staffing giant ManpowerGroup’s Lansing, Michigan, subsidiary. Unlike the Workday data breach with impacted a managed CRM system, the Manpower of Lansing leak stemmed from a traditional ransomware attack that also disrupted operations.
“This is another reminder that in cybersecurity, breaches rarely happen in isolation; they ripple,” said Chad Cragle, Chief Information Security Officer at Deepwatch. “Attackers don’t stop at one vendor; they pivot across the ecosystem, looking for the next weak link. Think of it like a row of dominoes; once one falls, the rest are in play.”
“For companies, the takeaway is simple; you can’t just trust your vendor’s perimeter, you need continuous monitoring, strong identity controls, and rapid detection baked into your own environment. Otherwise, you’re betting your business on someone else’s defense,” Cragle concluded.
