Cyber Alert: Workday Cyber Breach Emphasizes the Growing Risk of SaaS Solutions across Enterprises
By Alliant Cyber / September 08, 2025
Listen to the audio version:
Recent cyber attacks have shown an alarming shift in methods and techniques being employed by malicious actors, focusing on Software as a Service (SaaS) solutions. This includes attempts to exploit vulnerabilities in commonly implemented technologies used in SaaS solutions, such as OAuth access authorization sharing technologies. Additionally, attackers are exploiting the inherent vulnerabilities associated with humans falling victim to phishing attacks.
Background & Incident Overview
In a public blog statement on August 15, 2025, software provider Workday notified the public that the organization suffered a data breach after a targeted social engineering attack focused on a third-party customer relationship management (CRM) system employed by the organization.
Workday stated that the breach did not impact its own client solution environments and that its client’s data was not compromised in this attack. Rather, the compromised data included “commonly available business contact information” from Workday’s CRM, including names, email addresses and phone numbers.
According to Workday’s statement, the malicious attacker’s campaign involved contacting Workday’s employees via text messages and/or phone calls, with malicious actors posing as representatives from Workday Information Technology (IT) and Human Resources (HR). The malicious actors were using these tactics to harvest personal information from victims, in addition to obtaining access to Workday systems and information.
From Workday’s post, it appears that the attackers were able to access information from the organization’s third-party CRM system. Workday did not identify in their statement which CRM platform they use.
Workday stated that the information the attackers compromised was limited to commonly available public business contact information like names, phone numbers and email addresses. Workday went on to state that it appears the attackers harvested this information to potentially use it in other subsequent attacks, including other phishing or social engineering campaigns.
Workday stated, “There is no indication of access to customer tenants or the data within them. We acted quickly to cut the access and have added extra safeguards to protect against similar incidents in the future.”
Why It Matters
The pervasive adoption of SaaS and other third-party solutions, including CRM tools, has led to significant sprawl in the technology footprint for many organizations. With this significant expansion of cloud-based solutions and other hosted software solutions, the undesirable side effect of an ever-expanding security vulnerability footprint has also occurred.
Many organizations have not evolved or enhanced their cyber security controls, risk management and governance programs to keep pace with their technology footprint and vulnerability exposure. This has produced a virtual treasure trove for would-be attackers to exploit.
This includes traditional technical security vulnerabilities, including weak software configurations, but is further exasperated by the widespread use of access and authorization sharing utilities and architectures, such as OAuth and others. While these innovative approaches to security have many merits, they must be assessed, hardened and managed against cyber threat and risk considerations.
When technical vulnerabilities in SaaS solutions and other third-party solutions exist, they may be used in compound attacks that also seek to compromise human vulnerabilities, such as widespread phishing campaigns.
Based on information shared to date regarding the recent Workday incident, and several other well-publicized similar attacks, this is becoming a critical cyber threat trend, which organizations must be hyper-focused on in the immediate term.
These risks will only continue to grow, fueled in part by the desire to adopt Artificial Intelligence (AI) enabled solutions and services, which are becoming common innovations in many third-party and cloud based or SAAS services.
Mitigating the Risk
Addressing the emerging cyber risks associated with SaaS, AI and other third-party solutions will require a multifaceted, proactive, action-based approach. The time to act is now.
To mitigate risks and enhance cybersecurity posture, organizations should consider the following actions:
- Enhance Cloud, SaaS and Overall Vendor Management: Conduct an inventory and full assessment of current third parties, with a focus on higher-risk cloud, SaaS and other platforms. Develop stringent criteria for vendor selection, define critical controls and requirements, and continuously monitor their security practices.
- Adopt and Enhance Security Controls Across SaaS and other Cloud Environments: Conduct hardening and security enhancement actions across all cloud-based and externally facing applications, systems and technology environments. Don’t rely on third-party service providers or SaaS providers to provide this security “out of the box.”
- Conduct Regular Security Audits: Regularly assess and update security protocols, focusing on access controls and data encryption.
- Implement Multi-Factor Authentication (MFA) and Other Enhanced Authentication, Authorization and Access Controls: Ensure all systems, especially cloud, SaaS and other third-party solutions require MFA, and that the use of access or authorization solutions such as OAuth are appropriately reviewed, secured, tested and monitored in order to reduce the risk of unauthorized access or exploitation.
- Develop Incident Response Plans: Establish and regularly update comprehensive incident response strategies to quickly address potential breaches.
- Educate Employees: Provide ongoing training to employees about phishing attacks and other common cyber threats to foster a security-aware culture.
- Review Cyber Insurance Coverage: Reach out to your cyber broker to review current coverages and policy considerations. If a cyber incident impacts your organization, you want to have assurance that your cyber liability program and coverage are in alignment with your risk.
How Alliant Cyber Can Help
Alliant Cyber is committed to assisting in navigating these complex challenges by offering tailored risk management solutions and expert guidance. Our team is dedicated to helping organizations strengthen their cybersecurity frameworks to prevent breaches and respond effectively when incidents occur.
Alliant Cyber has a truly integrated team of practitioners and leaders in the specialized domains of cyber risk management, cybersecurity, cyber insurance brokerage, claims and cyber risk mitigation strategies. Our team of consultants, brokers, analysis and experts assists clients across the spectrum of cyber risks and threats, including those related to SaaS, cloud security, third parties, phishing and many others.
In today’s climate, responding quickly and effectively to cyber incidents is not just recommended—it’s essential. For more information on enhancing your organization's cybersecurity posture, please contact Alliant Cyber.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.
News & Resources
