Third-Party Software Suppliers: A Supply Chain Cyber Risk?

Workday, the widely used HR software provider, has confirmed it has been caught up in a cyber attack that runs through Salesforce’s customer relationship management (CRM) platform.

The attack leaves the personal information of 70 million individual users and the business data of 11,000 corporate customers potentially exposed. It also pushes companies to re-examine their reliance on third-party platforms and the weak points this creates across supply chains.

The breach came to light on 6 August, though Workday did not specify when the unauthorised access first took place.

The company says threat actors found business contact information such as names, phone numbers and email addresses stored within its systems, but Workday is clear that its core HR systems, referred to as customer tenants, are not affected. 

Are third-party suppliers new attack routes? 

The incident highlights a broader campaign against Salesforce. Tech companies like Google and Cisco, airline Qantas and retailer Pandora are also confirmed as victims.

The pattern suggests that cybercriminals are deliberately shifting focus towards third-party providers whose platforms give them access to vast pools of data.

Workday’s position in the market makes it a prime target. Around 60% of the Fortune 500 depend on its HR platform, creating an interconnected ecosystem of suppliers and customers vulnerable through shared tools.

As Tina McGriff, Information Security Analyst at AMN Healthcare, explains: "SaaS and CRM platforms aren’t side projects, they are prime targets. If they’re not on your audit radar, you’re already behind."

Google links the campaign to ShinyHunters, a group known for phishing operations. Phishing is the fraudulent attempt to obtain sensitive information by disguising as a trustworthy entity, often through email or phone calls.

In this case, attackers contact staff directly, posing as IT or HR personnel to trick them into sharing access credentials.

Charles Mazarura, Cyber Security Engineer at NFP Europe, voices the debate within the security community: "Are these incidents a testament to the increasing sophistication of phishing tactics, or do they highlight gaps in organisational training and awareness?"

Gaps in transparency and disclosure

While Workday insists there is no evidence that customer tenant data is compromised, questions remain about the company’s disclosure practices.

It confirms cutting access quickly and adding safeguards but does not clarify whether its logging systems can confirm the scale of exfiltration. Nor does it specify whether stolen data relates to its own employees or those of its customers.

Concerns increase after researchers discover hidden "noindex" tags in the company’s official breach notification. These tags prevent search engines from displaying the page, which makes it harder for affected organisations or researchers to find the information.

Workday offers no explanation for why its disclosure is restricted in this way. The lack of openness feeds a growing unease across industries about whether firms are prioritising reputation management over meaningful engagement with risk.

The ripple effect of stolen contact data

Security analysts stress that stolen contact information can serve as the foundation for further attacks.

Workday itself admits: "The information obtained by the attackers may be useful for other social engineering attempts."

Social engineering refers to manipulating people into giving up confidential information, often by exploiting trust or authority. With verified phone numbers and company hierarchies now in criminal hands, phishing campaigns can appear more authentic, making employees more likely to comply.

Josh Moulin, Founder of cybersecurity firm Natsar, underlines the wider danger across supply chains: "If threat actors are targeting your vendors, they’re targeting you. Assume exposure, act accordingly."

That warning captures the essential point of the Workday breach. The risk lies not just in direct attacks but in the interdependency of today’s business world. A single supplier compromise can cascade across networks, exposing partners, clients and millions of individuals.

As technology continues to underpin global business, companies face the same challenge: how to balance efficiency and scale through third-party platforms with the mounting risk that those very platforms create.

For Workday’s customers, the question now is whether vendor trust is still enough protection in an environment where attackers always search for the weakest link.