Workday hit by social engineering data breach targeting its CRM platform

Workday, the cloud-based software company providing human resources systems, announced on Friday that some customer information was obtained in a social engineering attack.

The company — a constituent of the S&P 500 which reported more than $8.4 billion in revenue last year — described itself as one of many organisations impacted by a recent campaign targeting Customer Relationship Management (CRM) platforms.

In its statement, the company said it “recently identified that Workday had been targeted and threat actors were able to access some information from our third-party CRM platform,” although it did not identify which platform it uses.

Workday stressed there was “no indication of access to customer tenants or the data within them.” 

“We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future,” they said.

The threat actor was able to obtain what Workday described as “commonly available business contact information, like names, email addresses, and phone numbers,” which it speculated could be exploited “potentially to further their social engineering scams.”

Other companies that have recently announced data breaches resulting from CRM social engineering attacks include Allianz Life, Qantas and Hawaiian Airlines.

The attacks come amid industry warnings about cybercriminals targeting Salesforce CRM tools, with the hackers impersonating IT support personnel over the phone in attempts to steal organisations’ data and issue extortion demands.

In March, Salesforce published its own alert about social engineering attacks, stating it “builds enterprise-grade security into every part of our platform,” while stressing “customers play a vital role in protecting their data.”