Workday data breach potentially revealed contact information

Editor’s note — This story has been updated to clarify the accusation that Workday tried to conceal the data breach.

(KRON) — Human Resources software platform Workday confirmed last week that it had been targeted in a data breach. According to the Pleasanton-based company, the company was victimized in a social engineering campaign that targeted large organizations.

The campaign, according to a Workday blog post, involved hackers contacting employees by text or phone and pretending to be from human resources or IT. The goal of the hack, Workday said, was to trick employees into giving up account access or personal information.

In this case, it sounds like the hackers were successful and were able to access information from Workday’s third-party customer relationship management (CRM) platform. Workday did not identity which CRM platform was targeted.

The type of information hackers obtained, Workday maintains, was limited to commonly available public business contact information like names, phone numbers, and email addresses. This information, the company said, could potentially be used by hackers to “further their social engineering scams.”

“There is no indications of access to customer tenants or the data within them,” Workday said. “We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future.”

However, the company did not explicitly rule out the possibility that customer information was also exposed in the hack.

According to a report in TechCrunch, Workday initially included a hidden “noindex” tag in the source code of the blog post disclosing the hack, making it difficult for the page to surface in search results.

“It’s not clear for what reason Workday is hiding its data breach notification from search engines,” TechCrunch wrote.

According to Workday, the “noindex” tag has since been removed. A Workday representative also told KRON4 that it notified customers and partners of the breach on Friday.

The company provided us with the following statement:

“We’re one of several companies targeted by a sophisticated social engineering scam. All signs show that our customers’ Workday data remains secure. Some commonly available business contact information was accessed, and we’ve informed our customers and partners so they can protect themselves from similar campaigns. We’ve also adopted additional security measures internally to protect our own employees.”