Attorney
Workday, Inc. (NASDAQ: WDAY), headquartered in Pleasanton, California, provides cloud-based software solutions to over 11,000 organizations worldwide. Its platform is deeply embedded across industries, including universities, hospitals, corporations, and government agencies.
Because of this extensive reach, the Workday CRM Data Breach could potentially affect tens of millions of people. Current estimates suggest that more than 70 million employees, students, and healthcare professionals may be connected to organizations that rely on Workday’s systems.
- Healthcare workers at hospitals and medical systems
- Students, faculty, and staff at colleges and universities
- Employees of corporations across finance, insurance, and tech
- Government staff at local, state, and federal levels
This scale highlights why the Workday CRM Data Breach is one of the most significant exposure risks of 2025.
“Workday did not explicitly rule out that customer information was taken in the data breach, stating only that there was “no indication of access to customer tenants or the data within them,” which corporate customers typically use to store the bulk of their human resources files and employees’ personal data.” TechCrunch (link)
If you work for an organization that uses Workday, you may receive a data breach letter, email notification from Workday, or suspicious-looking email — including emails that appear to come from Workday or Salesforce.
- Do not click links or open attachments.
- Report the message to your IT or HR department immediately.
- If you’ve received such a notice, or believe your information may be at risk, contact our Data Breach Lawyers at Woods Lonergan.
Contact Our Data Breach Lawyers 24/7 at (332) 378-0376 or email loganlowe@woodslaw.com for a free and confidential consultation. We take no fees unless we win.
Woods Lonergan is a complex commercial and civil litigation firm that represents clients in select data breach class action lawsuits. Our Data Breach Lawyers are actively investigating the August 2025 Workday CRM Data Breach. Woods Lonergan has successfully pursued claims against national corporations, educational institutions, and technology vendors when failures in data security exposed sensitive personal, educational, and financial information.
What Happened in the Workday CRM Data Breach
- On August 6, 2025, Workday discovered unauthorized access to a third-party CRM system. The breach was publicly disclosed via a blog post on August 18, 2025.
- It has been reported that Workday claims hackers accessed names, email addresses, and phone numbers, though no core HR or payroll systems were compromised.
“As of the time of publication, Workday’s blog post disclosing the breach contained a hidden ‘noindex’ tag in its source code, which instructs search engines to ignore the page, making it difficult for anyone searching the web to find the page.” — TechCrunch (link)
The blog appears to have not been indexed in search engines, resulting in it being hidden from search results for nearly two weeks. This increases the likelihood that many affected individuals never saw any notice of the breach.
Why the Workday CRM Data Breach Matters
Workday is not a staffing agency — it is a cloud-based software platform used by corporations, hospitals, schools, and government agencies to manage their human resources, payroll, and financial operations. That means this breach may have exposed data not only of large organizations but of the individual employees, students, and healthcare professionals working within them.
Phishing risk is especially high. Hackers commonly use stolen contact information to send emails, calls, or texts impersonating trusted institutions. Clicking links or responding to these messages can expose more sensitive data like Social Security numbers, banking details, or login credentials.
“The only ‘notice’ you may ever receive of this breach could be a suspicious-looking email or text.” — TechCrunch (link)
If you work for an organization that uses Workday, you may receive a data breach letter, email notification from Workday, or suspicious-looking email — including emails that appear to come from Workday or Salesforce.
- Do not click links or open attachments.
- Report the message to your IT or HR department immediately.
- If you’ve received such a notice, or believe your information may be at risk, contact our Data Breach Lawyers at Woods Lonergan.
Contact Our Data Breach Lawyers at Woods Lonergan, 24/7 at (332) 378-0376 or email loganlowe@woodslaw.com for a free and confidential consultation. We take no fees unless we win.
Ongoing Investigation of the Workday Data Breach
The investigation is still ongoing, and Workday has not disclosed how many individuals were affected. Until the full scope is revealed, your data may already be exposed.
Hackers often act quickly — selling stolen information on the dark web or using it in scams long before companies finish internal reviews.
This breach also appears to be part of the broader Salesforce CRM compromise, which impacted Google, Allianz, and other major corporations. Security researchers have linked the attack to the ShinyHunters hacker group, known for targeting third-party vendors to gain large-scale access.
“ShinyHunters have a well-documented history of infiltrating SaaS and CRM vendors, using that single point of access to ripple across hundreds of companies and millions of end users.” — SecurityWeek (link)
In reporting on a recent data breach to Google’s CRM, Reuters reports that, “The hackers use voice calls to trick employees into visiting a purported Salesforce connected app setup page to approve the unauthorized, modified version of the app… If the employee installs the app, the hackers gain ‘significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.” — Reuters (link)
What makes this breach especially dangerous is that most federal and state data breach laws do not require companies like Workday to notify affected businesses. That means your information could be circulating among hackers right now, without your knowledge — until it’s too late.
Potential Legal Issues in the Workday Data Breach
This breach raises several key legal questions that courts and regulators may examine:
- Negligence / Negligence Per Se — failure to implement and maintain reasonable cybersecurity controls for highly sensitive HR, healthcare, and student data.
- Breach of Implied Contract — employees, students, and patients entrusted personal records to institutions that relied on Workday’s systems with the expectation of data security.
- Breach of Fiduciary Duty / Confidentiality — potential failure to protect confidential employment, medical, and academic information.
- Unjust Enrichment — Workday and its clients benefited from data collection without implementing safeguards to prevent foreseeable risks.
- Violations of State Data Protection Laws — including the New York SHIELD Act and other state breach statutes (failure to notify impacted individuals; inadequate security).
About Woods Lonergan PLLC
Woods Lonergan PLLC is a nationally recognized plaintiff firm specializing in complex civil litigation, including class action, data privacy, and cybersecurity matters. We have a proven track record of successfully holding corporations accountable for data breaches and protecting the rights of consumers. Our firm is currently representing plaintiffs in open litigation for numerous significant data breaches in 2025, including cases involving Powerschool, Ahold Delhaize, Aflac Insurance, Johnson Controls, Community Health Center and DISA Global Solutions.
- In 2025, Woods Lonergan settled on behalf of plaintiffs in data breach litigation, including the 23andMe Data Breach Lawsuit for $30 Million in the Northern District of California.
- A preliminary settlement of $18 Million was reached in the Yale New Haven Health Data Breach in August 2025.
- In June 2025, a multi-million dollar settlement was successfully reached in the Sunflower Medical Group data breach case in the U.S. District Court for the District of Kansas.
If you work for an organization that uses Workday, you may receive a data breach letter, email notification from Workday, or suspicious-looking email — including emails that appear to come from Workday or Salesforce.
- Do not click links or open attachments.
- Report the message to your IT or HR department immediately.
- If you’ve received such a notice, or believe your information may be at risk, contact our Data Breach Lawyers at Woods Lonergan.
Contact Woods Lonergan’s Data Breach Lawyers 24/7 at (332) 378-0376 or email loganlowe@woodslaw.com for a free and confidential consultation. We take no fees unless we win.
FAQs About the Workday Data Breach
What kind of notice did Workday provide of the breach?
Notices were directed primarily to Workday’s corporate customers, not to individuals. Workday also posted a blog statement on its website, but it appears to have not been indexed by search engines. As a result, it was hidden from search results for nearly two weeks, making it unlikely that most affected individuals saw it. Read the Workday blog here.
Who could be affected by the Workday Data Breach?
Employees of universities, hospitals, government agencies, and major corporations that use Workday software may have had their contact data (names, emails, phone numbers) exposed.
Do I need to have clicked a phishing link to qualify?
No. Simply having your data exposed is enough to establish risk. If you experienced phishing attempts, fraud, or identity theft following this breach, you may be eligible for compensation.
Can small and medium-sized businesses be part of this case?
Yes — if a business received a direct data breach notification or letter from Workday, you may also have a claim. Contact Woods Lonergan’s Data Breach Lawyers at (332) 378-0376
Can I be a named plaintiff, or join the class in the case?
Yes. If your contact data was exposed and you experienced harm — such as phishing attempts, financial losses, or identity theft — you could serve as a named plaintiff or be part of the class.
What damages could individuals recover?
Potential damages may include compensation for fraud losses, costs of credit monitoring, time spent repairing credit, and statutory damages under state privacy laws.
Legal Issues Could Arise from the Workday Data Breach?
| Failure to Notify Individuals | Workday informed businesses but not individuals, raising compliance questions under state breach notification statutes. |
Negligence in Safeguards | Plaintiffs may argue Workday failed to implement reasonable vendor oversight or technical controls. |
| Contractual Liability | Disputes may arise over whether Workday’s contracts improperly limit liability for third-party breaches. |
| Consumer Protection | Concealing or limiting breach disclosure (e.g., via hidden blog post) could trigger state deceptive practices claims. |
| HIPAA/FERPA Overlap | If hospital patient or school student data was affected by the data breach, Workday may face claims under federal privacy laws. |
Sources
- https://techcrunch.com/2025/08/18/hr-giant-workday-says-hackers-stole-personal-data-in-recent-breach/?utm_source=chatgpt.com
- https://blog.workday.com/en-us/2025/workday-security-update.html
- https://www.securityweek.com/hr-software-provider-workday-discloses-data-breach/