Workday, a human resources organization, has announced it experienced a cybersecurity incident. More than 19,300 individuals are employed at Workplace across North America, EMEA and APJ. The client list contains more than 11,000 companies across a range of sectors, including almost two-thirds of the Fortune 500 companies.

According to the organization’s blog post on the incident, Workday was targeted by a social engineering campaign. The post stated, “In this campaign, threat actors contact employees by text or phone pretending to be from human resources or IT. Their goal is to trick employees into giving up account access or their personal information.”

Malicious actors accessed data from Workday's third-party CRM platform. However, there is no evidence that customer tenants (or the data inside) were accessed. 

Below, security leaders discuss the implications of this attack. 

Security Leaders Weigh In

Thomas Richards, Infrastructure Security Practice Director at Black Duck:

The rise in social engineering attacks by malicious actors should alarm any organization’s security team. This also demonstrates that the attackers are out of other options and are resorting to more difficult and time-consuming methods to attack these organizations. Every piece of information they gain in these attacks can be used to conduct further campaigns and get closer to their goals. Organizations should put their employees on alert for any suspicious phone calls and texts, reminding them that HR and IT will never directly contact them for that information. 

Chad Cragle, Chief Information Security Officer at Deepwatch: 

This is another reminder that in cybersecurity, breaches rarely happen in isolation, they ripple. Attackers don’t stop at one vendor; they pivot across the ecosystem, looking for the next weak link. Think of it like a row of dominoes, once one falls, the rest are in play. For companies, the takeaway is simple; you can’t just trust your vendor’s perimeter, you need continuous monitoring, strong identity controls, and rapid detection baked into your own environment. Otherwise, you’re betting your business on someone else’s defense.

J Stephen Kowski, Field CTO at SlashNext Email Security+:

The Workday CRM incident shows the same playbook seen in the Salesforce-linked campaigns: social profiles are hijacked or spoofed, users are lured into legit-looking login flows, and stolen tokens or OAuth grants give deep access fast. Block this at the point of click with real-time link and QR inspection across email, mobile, browsers, and chat — plus rapid analysis that catches lookalike domains and phishing kits hosted on trusted platforms. Backstop with identity defenses that detect session theft and MFA bypass, and auto-revoke risky OAuth tokens while enforcing least privilege. Close the loop with live-intel phishing simulations so teams recognize the exact lures being used in these campaigns right now.

Boris Cipot, Senior Security Engineer at Black Duck:

Social engineering is a manipulative attack method that relies on psychology and social interaction skills to deceive victims into releasing sensitive information. Attackers trick victims into performing actions that aid in gaining access to sensitive information, often requiring multiple interactions and “internal” information to appear legitimate.

To protect against social engineering, organizations should establish and enforce strict procedures for handling sensitive information, such as not providing information over the phone, even to high-ranking executives, including the CEO. Employees should be aware of these procedures and understand that they will not be penalized for refusing to provide information or assist someone impersonating a superior.

The victims of the data breach should be careful. Workday should remain cautious and be aware of potential scams, phishing attacks, and social engineering techniques. Although the breached information may be limited to commonly known business data in this case, individuals should still be vigilant to avoid falling prey to further attacks.

Darren Guccione, CEO and Co-Founder at Keeper Security:

The data breach impacting Workday is a perfect illustration of the persistent and evolving risk posed by social engineering tactics targeting third-party platforms. The situation is reflective of a troubling trend across enterprise software vendors, and it appears connected to a broader wave of recent attacks similarly targeting CRM systems at multiple global enterprises via sophisticated social engineering and OAuth-based tactics.

Even when primary systems remain intact, external integration points can serve as gateways for attackers. These third-party ecosystems often are not subjected to the same level of scrutiny and control as the internal environments.

Attackers will therefore impersonate HR or IT personnel via phone and text to trick individuals into granting access or divulging sensitive information. Although the data accessed may appear limited, it can subsequently fuel highly targeted phishing or bespoke social engineering schemes on customers by using their own personal data.

Organizations should therefore view third-party applications, vendor tools and CRM systems as integral extension points of their own attack surface. They should restrict access to what is necessary, and implement Privileged Access Management (PAM), zero-trust architectures and zero-knowledge approaches to limit exposure. They should require all partners and third-party platforms to undergo regular security assessments and continuous monitoring. Employees should be trained with frequent simulation testing in order to raise awareness. It’s also important that organizations deploy continuous monitoring and rapid response in order to flag and attend to any unusual access.

The Workday breach is not an isolated incident — it’s part of a broader, escalating digital threat landscape where malicious actors seek to exploit human trust, third-party tools and misaligned legacy processes. Organizations must treat security as an enterprise-wide discipline, extending beyond the immediate perimeter, into every integration, every external vendor and every employee interaction.