Data breach alert: Workday confirms personal data stolen; hackers could access names, emails, and phone numbers

Workday, a major provider of human resources technology, has confirmed a data breach that resulted in the theft of personal information from one of its third-party customer relationship databases.

Nature of the breach

In a blog post published on Friday, the company revealed that hackers accessed an unspecified volume of data, primarily comprising contact details such as names, email addresses, and phone numbers. Workday did not confirm whether any corporate customer information was affected, stating only that there was “no indication of access to customer tenants or the data within them.” These tenants are typically used by clients to store the bulk of human resources files and employees’ personal information.

Risks from stolen data

The company warned that the stolen information could be exploited in social engineering attacks, in which cybercriminals manipulate or threaten victims to gain access to sensitive data.

According to a TechCrunch report, Workday serves more than 11,000 corporate customers and supports at least 70 million users globally. According to Bleeping Computer, the breach was detected on 6 August.

Reportedly, the firm did not disclose the name of the compromised third-party database, but the incident comes amid a series of attacks targeting Salesforce-hosted databases. Recent victims include Google, Cisco, airline Qantas, and jewellery retailer Pandora, all of which suffered data theft from their cloud-based systems.

Details of the Google breach

Google confirmed that one of its Salesforce systems used for storing small and medium business contact data was briefly compromised by a cybercriminal group known as UNC6040, which uses voice phishing or “vishing”, to trick employees into handing over access to sensitive tools.

The attackers used a social engineering technique, where they impersonated IT support staff during phone calls, convincing employees to authorise malicious software connected to their Salesforce environment. This allowed the group to access and extract basic business contact details, most of which, Google says, were already publicly available, before the breach was detected and stopped.

Notably, the group behind the attack, UNC6040, is known for targeting Salesforce platforms by abusing tools like the “Data Loader” app, a legitimate application that allows bulk data handling. In many cases, the hackers use fake versions of this app with misleading names, such as “My Ticket Portal,” to avoid detection during the phishing calls.