Third party CRM blamed for possible theft of employee information
Pro
Image: Getty/Dennis
Human resources giant Workday has confirmed a data breach after attackers gained access to a thirdparty customer relationship management (CRM) platform in a social engineering attack.
According to a blog post on the company’s website, threat actors contacted employees by text or phone pretending to be from human resources or IT with the intention of tricking them into giving account access or other personal information.
Workday said the threat actors were able to access some information from the CRM but there was no indication of access to customer tenants or the data within them. It added that action was quickly taken to cut access and subsequently added extra safeguards to protect against similar incidents in the future.
The type of information the actor obtained was primarily commonly available business contact information such as names, e-mail addresses, and phone numbers.
Website Bleeping Computer linked the breach to the ShinyHunters extortion group, which targets Salesforce CRM instances through social engineering and voice phishing attacks.
Boris Cipot, senior security engineer at application security specialist Black Duck, commented: “Social engineering is a manipulative attack method that relies on psychology and social interaction skills to deceive victims into releasing sensitive information. Attackers trick victims into performing actions that aid in gaining access to sensitive information, often requiring multiple interactions and ‘internal’ information to appear legitimate.
“To protect against social engineering, organisations should establish and enforce strict procedures for handling sensitive information, such as not providing information over the phone, even to high-ranking executives, including the CEO. Employees should be aware of these procedures and understand that they will not be penalised for refusing to provide information or assist someone impersonating a superior.
“The victims of the data breach should be careful. Workday should remain cautious and be aware of potential scams, phishing attacks, and social engineering techniques. Although the breached information may be limited to commonly known business data in this case, individuals should still be vigilant to avoid falling prey to further attacks.”
Workday has more than 19,300 employees. Its customer list comprises over 11,000 organisations across a range of industries, including more than 60% of the Fortune 500 companies.
TechCentral Reporters