Workday has confirmed it suffered a significant data breach stemming from a comprehensive social engineering campaign that compromised a third-party vendor’s information. This breach allowed unauthorized individuals to infiltrate systems and potentially access sensitive data.
The attackers employed deceptive tactics, impersonating IT and human resources personnel, ultimately tricking employees into revealing personal information and account credentials. This was detailed in a blog post by Workday released on Friday, where they elaborated on the nature of the attack.
By breaching the customer support system, hackers gained access to support tickets containing the names, email addresses, and phone numbers of Workday’s customers. This information poses a risk for subsequent social engineering efforts. However, Workday has stated that they found no evidence suggesting the intruders accessed any data stored within their own servers. As a spokesperson reassured Cybersecurity Dive via email, “All signs show that our customer Workday data remains secure.”
Workday operates as a leading AI-driven platform supporting human resources and payment management, with over 11,000 organizations globally utilizing its services, including more than 60% of Fortune 500 companies. This scale amplifies the potential impact of any security incident.
The incident aligns with a broader pattern of social engineering attacks associated with ShinyHunters, a hacking group tied to an underground cybercrime collective known as The Com. The Com also has connections to the renowned hacker group Scattered Spider, which has recently targeted various industries, including retail, insurance, and aviation.
Multiple attacks from ShinyHunters have been reported, notably recent breaches involving Salesforce instances, as highlighted by researchers at Google. Notably, this group targeted one of Google’s own Salesforce instances earlier this month, indicating their expansive threat landscape.
Reports from Reliaquest suggested possible collaboration between ShinyHunters and Scattered Spider, including phishing domains related to ticketing and pages designed to harvest Salesforce credentials. Such revelations highlight the sophisticated and interconnected nature of current cyber threats.
In response to the incident, Workday has proactively informed its customers and partners and instituted additional security measures to mitigate the chances of similar breaches occurring in the future. The company has made it explicitly clear that it does not contact individuals via phone to request passwords or personal information, reinforcing their commitment to security.
This incident could exemplify tactics from the MITRE ATT&CK framework, involving initial access through social engineering, exploitation of compromised credentials, and potential persistence through the information gleaned during the breach. Understanding these tactics is crucial for businesses seeking to bolster their defenses against such sophisticated attacks.
