In the midst of the boom in digital services and corporate automation, cybersecurity has become a critical priority for companies operating in the cloud. The most recent case demonstrating this vulnerability is that of Workday, one of the main providers of technology for human resources, which suffered a security breach through an external platform.
This incident at Workday not only compromises the integrity of the contact data of its users and clients, but also highlights a structural problem: the dependence on third‑party systems and the increasing sophistication of attacks based on social engineering. Far from being a minor threat, this kind of leak—as occurred with Workday—can act as a gateway to much more complex frauds, affecting the reputation, security, and operations of companies globally.
What is Workday and why is this breach significant?
Workday is a leading company in financial management, business planning, and human resources solutions. Workday’s services are used by over 11,000 companies worldwide, and it is estimated that its platform supports 70 million users. Among Workday’s clients are large corporations, public institutions, and universities, granting it a strategic role within the corporate digital ecosystem.
A security breach at a company of Workday’s caliber not only affects the exposed data, but also calls into question the level of protection in the modern business environment. Moreover, a cyberattack like Workday’s can have far-reaching legal, economic, and social implications.
The fact that the incident did not occur in Workday’s main systems, but rather in a database belonging to an external provider, raises a key question: to what extent do companies like Workday actually control the data they store when they rely on third parties?
What kind of information was stolen?
According to what Workday confirmed, attackers accessed an external database used to manage client relationships. It stored basic but sensitive information: names, email addresses, phone numbers, and other contact data related to current or potential clients.
Although, at first glance, this data might seem low‑risk, the truth is that it can have a significant impact if used as the basis for personalized attacks, identity theft, and corporate fraud. In other words, no passwords or HR files were directly leaked, but enough data was exposed to carry out more complex psychological manipulation strategies against Workday’s clients.
Furthermore, Workday did not specify how many individuals were affected, nor clarify whether the compromised data belonged to employees, client executives, or other associated parties. This lack of precision from Workday increases uncertainty, erodes trust, and hampers preventive actions by those who might have been exposed.
Social engineering: the most effective method of modern cybercrime
One of the most worrisome aspects of the Workday incident is that everything indicates it was an attack based on social engineering. Instead of attempting to penetrate Workday’s systems through purely technical methods, attackers likely used tactics such as voice phishing (vishing), pretending to be legitimate employees to deceive real workers.
These techniques, increasingly frequent and effective, rely on prior knowledge of organizational structures. With real names, valid contact numbers, and internal email addresses, criminals can mimic authentic communications and convince employees to grant system access or approve malicious actions.
The human element has become the weakest link in digital security, as in Workday’s case. No matter how sophisticated technological defenses may be, they can be rendered ineffective by a wrong click, an innocent approval, or a deceptive phone call that grants attackers network access.
Who is behind these attacks?
While Workday has not publicly identified those responsible, various investigations point to a cybercriminal group known as ShinyHunters. This group is known for large‑scale data thefts and for operating through impersonation, social manipulation, and exploitation of OAuth access on platforms like Salesforce, and now Workday.
ShinyHunters do not act as an isolated hacking group. They are part of a global network dedicated to stealing information, selling it on the underground market, and extorting victims by threatening to publish sensitive data if a ransom is not paid. This type of operation has become a highly profitable and professionalized business.
Recently, companies such as Google, Cisco, Adidas, Qantas, Pandora, and Dior have also been victims of similar attacks. All of these cases share a pattern with Workday: the exploitation of databases hosted on cloud services, use of legitimate credentials, and social engineering as the main attack vector.
A chain of trust that is too fragile
The Workday incident reflects a structural problem in how companies manage digital security: excessive reliance on third parties and a lack of real control over the services they use. The compromised databases were hosted on an external CRM platform, not on the company’s central servers.
This raises troubling questions: how much do companies know about the security measures implemented by their providers? What level of audit do they conduct before integrating external solutions? Are they prepared to assume responsibility if a technological partner fails?
The SaaS (Software as a Service) business model that Workday uses offers multiple advantages, but it also involves ceding control. If that control is not accompanied by active and rigorous oversight, the risks multiply. A company like Workday may invest millions in protecting its infrastructure, but if an external entity with weaker safeguards is breached, all that investment can be rendered useless.
Lack of transparency: Why hide the information?
Another controversial aspect was how Workday communicated the breach. Although the company published an official statement on its website, it included a technical tag that prevented the page from being indexed by search engines. In other words, Workday tried to make the information not easily discoverable by the general public.
Such decisions by Workday fuel distrust. In a context where users and clients expect transparency, minimizing the visibility of an incident like Workday’s can be seen as a maneuver to protect corporate image at the expense of the public’s right to know.
Furthermore, Workday avoided providing key details: the volume of data stolen is unknown, as is the profile of those affected. It has also not been confirmed whether Workday individually notified the potential victims. This opacity contradicts recommendations from cybersecurity bodies and international data protection regulations.
Possible Consequences for Users and Companies
Although no financial data or passwords were leaked, the information stolen from Workday can have serious consequences. An attacker who knows the name, position, and contact information of a Workday executive can send a fraudulent email simulating a payment order, a technical request, or a security alert. The likelihood of that email being opened, read, and answered is much higher than in a generic phishing attempt.
Companies, like Workday, whose data has been exposed could become targets of fraud campaigns, scam calls, identity theft, and financial losses. Even more serious attacks could occur if criminals manage to use this information to gain deeper access to internal systems.
In addition to financial damage, there is reputational damage to Workday. The perception that a company like Workday has lost control over the contact information of its executives or clients can lead to loss of trust, contract cancellations, and a decline in brand value.
Security as Culture, Not Just Technology
One of the fundamental lessons this incident leaves for Workday is that security must be part of the organizational culture, not just a matter of technical infrastructure. Most current breaches, as in Workday’s case, do not happen due to system errors, but because of human failures: weak passwords, clicks on malicious emails, improper approvals, lack of two-step verification.
Training staff, establishing clear protocols, applying the “zero trust” principle, and constantly reviewing access and permissions are essential practices. Companies like Workday must invest as much in training their people as in purchasing tools.
Also, companies like Workday must assume that no system is infallible and prepare incident response plans. Knowing how to act, whom to inform, and how to minimize the impact is as important as preventing the attack itself.
What Measures Should Workday Take Now?
Workday’s immediate priority must be to rebuild trust. This means not only ensuring that the breach has been contained but also demonstrating with facts that measures are being taken to prevent new incidents. Informing clearly, collaborating with authorities, offering support to those affected, and strengthening security policies are essential steps for Workday.
Additionally, Workday should thoroughly review all its third-party relationships, audit the external platforms used, and apply stricter validation criteria. It is not enough to rely on a provider’s reputation: their level of protection must be continuously verified.
Furthermore, Workday can take this episode as an opportunity to lead by example and promote a stronger and more collaborative security culture among its clients and partners. Being transparent in its processes and sharing lessons learned helps strengthen the business ecosystem against common threats that make no distinction between large or small companies.
The Global Context: An Alarming Increase in Cloud Cyberattacks
The breach at Workday is not an isolated case, but part of a growing trend in 2025: the rise of attacks targeting cloud services and SaaS platforms, where many companies have migrated their most sensitive information.
CRM platforms like Salesforce have become a preferred target because they store large volumes of customer, employee, and critical process data. By accessing them, attackers can obtain valuable information to extend their reach and cause significant damage.
This type of cyberattack reflects a new phase in cybercrime, which is no longer limited to exploiting technical vulnerabilities but instead combines advanced social engineering techniques with targeted attacks. Hackers are becoming more strategic, selecting specific targets and preparing personalized attacks with a higher probability of success.
Regulatory and Legal Impact: What Does It Mean for Companies?
Security incidents like the one experienced by Workday also have consequences in the regulatory framework. In many jurisdictions, there are laws that require companies to quickly report security breaches affecting personal data. A lack of transparency or delay in notification can lead to significant fines and legal damage.
In Europe, the General Data Protection Regulation (GDPR) sets strong requirements for the protection of personal information and penalizes the lack of appropriate measures. In the United States, there are state regulations such as the Data Breach Notification Law, which require informing those affected without undue delay.
For a global company like Workday, which operates in multiple countries, complying with these regulations means having clear, coordinated, and agile procedures to respond to security incidents. This not only reduces legal risks but also improves corporate image in the eyes of clients and partners.
The Importance of International Cooperation and Information Sharing
Since cyberattacks cross borders, international collaboration between governments, organizations, and companies is crucial to prevent and mitigate incidents. Sharing information about threats, tactics used by attackers, and detected vulnerabilities helps build more effective joint defenses. Initiatives such as Threat Intelligence Centers and public-private alliances are essential tools to anticipate future attacks. A coordinated response can enable the rapid detection and neutralization of groups like ShinyHunters, dismantling their operations and protecting a greater number of companies and users.
Preparing for the Future: Toward Proactive and Adaptive Security
The Workday case is a wake-up call for all organizations that rely on cloud services. Security cannot be a reactive or isolated activity: it must be integrated at every stage of the digital lifecycle, from provider selection to daily application use.
Investing in technologies such as artificial intelligence for anomaly detection, multi-factor authentication, automated access management, and ongoing staff education is essential. Moreover, companies must adopt a stance of constant vigilance and be ready to adapt to new threats. Digital resilience will be the key to surviving and thriving in an environment where innovation and risk advance hand in hand.
The data breach at Workday, although limited in scope according to the company, represents a structural challenge for the business technology ecosystem. The Workday case reminds us that no company is exempt from risk and that true security depends on a comprehensive vision combining technology, organizational culture, transparency, and cooperation.
Users, clients, and employees must be aware of the threats and work with their organizations to maintain high standards of protection. Responsibility is shared, and only through joint efforts can we effectively face the growing wave of cybercrime.
In an increasingly interconnected world, protecting data means protecting trust, continuity, and the very future of companies and society. If you want to learn more about the most advanced cybersecurity measures to avoid cases like Workday’s, write to us at [email protected]. Receive our personalized advice on cybersecurity systems and protocols for your staff.
EN 
ES