Workday at the end of last week reported a data breach after an intrusion into its CRM platform, blaming a wide ranging social engineering campaign by threat actors.
In the campaign, threat actors contact employees by text or phone, pretending to be from the human resources or IT department. Their goal is to trick employees into giving up account access or personal information.
Workday said that threat actors – widely reported to be the hacker group ShinyHunters – were able to access some information from a third-party CRM platform but that there was no indication of access to customer tenants or the data within them. The type of information obtained is said to have been commonly available business contact information including names and email addresses.
While Workday didn’t identify the breached third-party database, Google and Cisco are among large organisations that have had data stolen from Salesforce databases in recent weeks, attributed to ShinyHunters.
Social engineering attacks can also include deepfakes, in which someone’s image is manipulated and can be used to give any number of commands, including extracting confidential information from staff or instructing them to transfer money.
AI is making that easier than ever. At ILTACON 2025, Jim McKenna, chief information officer of Fenwick & West and part of ILTA’s technology program committee demonstrated live a deepfake of himself, asking it questions in real time.
Demonstrations such as this – spun up in a conference and lacking the sophistication of some deepfakes – bring home the scale of the risks. Watch the short video clip below: