If your employer uses Workday — and there’s a good chance they do — your salary, bank account number, and social security or national ID number may have been sitting exposed on the internet. Not because of a dramatic hack. Because of a configuration mistake. Varonis Security Research uncovered a serious Workday HCM API misconfiguration affecting Fortune 500 companies, and the details are genuinely alarming.
What Is Workday, and Why Should You Care?
Workday is the HR and payroll software that runs behind the scenes at over 60% of Fortune 500 companies — major banks, tech giants, government contractors, and large multinationals. Think of it as the digital backbone of an organisation’s HR department. It holds everything: your job title, your salary history, your performance reviews, your payroll bank account, your tax ID or SSN. If you work at a large company, Workday almost certainly has a detailed file on you.
Most employees never see the Workday interface directly. It runs in the background, quietly processing payroll, storing HR records, and talking to other business systems via something called an API — an Application Programming Interface. APIs are basically digital doors that let different software systems exchange data. The problem Varonis found is that some of those doors were left wide open.
The Workday HCM API Misconfiguration — What Actually Went Wrong
Here’s what happened: Workday runs what’s called a multi-tenant cloud environment. Multiple companies — different organisations, different employers — all run their Workday systems on shared infrastructure. Each company has its own “tenant” (think of it like a separate apartment in the same building). The idea is that the walls between apartments are solid. Your data stays in your apartment. Nobody else can peek in.
Varonis researchers found that wasn’t the case. The OAuth API endpoints — the technical gateways used to authenticate and exchange data — were improperly scoped. In plain English: the access permissions were set up wrong. A user from one company’s Workday tenant could enumerate (that’s the technical word for “list and access”) API tokens belonging to other tenants on the same shared infrastructure.
What could an attacker do with that? Pull employee names, salaries, Social Security Numbers, payroll bank account details, and HR performance records from organisations they have zero legitimate connection to. This isn’t a theoretical vulnerability. This is the kind of misconfiguration that, in the wrong hands, becomes a treasure map for identity theft and targeted fraud.
What concerns me most here is that this wasn’t caused by a software bug in Workday’s core code. It was a configuration problem — which means it existed silently, with no error messages, no alerts, no obvious red flags. The system worked exactly as configured. It was just configured badly.
Who Was Affected and How Serious Is This?
Workday’s client list reads like a who’s-who of global business. We’re talking about major US banks, technology companies, healthcare organisations, and government contractors — all of which use Workday HCM (Human Capital Management) to run their HR operations. The exposed data types read like a fraudster’s wish list:
- Full employee names and job titles
- Salary and compensation details — exact figures, not ranges
- Social Security Numbers (USA) or equivalent national IDs
- Payroll bank account numbers — the accounts your wages land in
- HR performance review records
The Varonis report specifically flagged that Indian IT companies providing Workday integration services for Middle East clients were also caught up in this. That’s a significant detail I’ll come back to in a moment.
Sound familiar? This follows the same pattern as the MOVEit and GoAnywhere breaches from 2023 — enterprise software that organisations trust completely, configured incorrectly, exposing massive amounts of sensitive data without a single phishing email or brute-force attack being involved.
What This Means For India, UAE, and Saudi Arabia Users
This one hits close to home for the Indian IT services sector specifically. Indian companies — including major names in the SAP and Oracle integration space, and increasingly in Workday implementation — regularly handle HR system deployments for clients across the Middle East. UAE and Saudi Arabia have seen enormous growth in enterprise software adoption over the past five years, and Workday is a major part of that.
When Varonis flags “Indian IT companies providing Workday integration services for Middle East clients,” they’re pointing at a real and specific risk. Integration partners often have elevated API access to client Workday tenants — it’s how they do their job. If those integration accounts had misconfigured OAuth scopes, the exposure potentially extends across the entire client portfolio of that Indian IT firm.
For employees in the UAE and Saudi Arabia whose companies use Workday: your data may be stored on the same shared infrastructure. Workday’s cloud doesn’t have a separate Middle East instance for every client. Multi-tenancy means your employer’s data lives alongside dozens of other organisations’ data. A misconfiguration in one tenant is a potential window into others.
For Indian IT professionals working in Workday integration roles: your API credentials and the configurations you deploy are now under scrutiny. This is the kind of finding that triggers compliance audits — expect your clients to start asking hard questions about OAuth scope configurations and API token management.
For UK and US employees at Fortune 500 firms: if you haven’t checked whether your payroll bank account details are still correct and haven’t been tampered with, that’s the first thing to do this week. Payroll diversion fraud — where attackers change the bank account wages are sent to — is one of the most financially damaging results of this kind of exposure.
Digi Trendz Expert Take
I’ve been watching enterprise SaaS security for years, and the Workday HCM API misconfiguration story fits a pattern that genuinely worries me. The security conversation in most organisations focuses on perimeter defence — firewalls, antivirus, phishing training. Meanwhile, the actual sensitive data lives inside HR and ERP platforms that are configured by implementation consultants under time pressure, and then never properly audited again.
Here’s the thing: OAuth misconfiguration isn’t exotic. It’s not a zero-day exploit that only nation-state hackers can pull off. It’s the kind of mistake that happens when API scopes are set to “broad” during a rushed implementation and nobody goes back to tighten them. The Workday platform itself didn’t fail. The people configuring it didn’t follow least-privilege principles. And thousands of employees paid the price with their most sensitive personal data sitting exposed.
What this signals to me is a wider industry problem. Cloud HR platforms are being adopted faster than organisations can build the internal expertise to secure them properly. Workday is not the last platform where this will surface. I’d expect similar findings in other major HCM platforms over the next 12-18 months.
If you’re an IT or HR leader at a company using Workday — or any SaaS HR platform — the question you need to ask your implementation partner today is: “Can you show me the OAuth scope configuration for every API integration we have running?” If they can’t answer that question quickly and specifically, that’s your answer right there. Check out our cybersecurity how-to guides for more on locking down enterprise software configurations.
6 Steps to Protect Yourself and Your Organisation Right Now
- Audit your Workday OAuth API scopes immediately. Log into your Workday tenant as an administrator, go to Security → OAuth 2.0 Clients, and review every registered API client. Any client with broader scopes than its specific function requires should be narrowed down. If you don’t know what a scope does, restrict it and test — don’t leave it broad “just in case.”
- Check your payroll bank account details haven’t been changed. Log into your employee self-service Workday portal (your employer’s HR portal login), navigate to Pay → Payment Elections, and verify the bank account on file is correct. If anything looks wrong, contact HR immediately and flag it as a potential payroll diversion incident.
- Enable multi-factor authentication on your Workday account. In your Workday profile, go to Account → Manage Authentication Policies and confirm MFA is active. If your employer hasn’t enforced this, escalate it to your IT or HR team — this is a non-negotiable in 2024.
- For IT teams: rotate all API tokens associated with integration accounts. In Workday, go to Security → Manage Integration System Users, identify every integration account, and force a token rotation. Any token that’s been active for more than 90 days without review should be treated as potentially compromised until proven otherwise.
- Run a Workday Security Audit Report. Workday has a built-in report called the Security Audit Report — find it by searching “Security Audit” in the Workday search bar. Run it and look specifically for any API access events from unexpected IP addresses or outside business hours. Anomalous access patterns are often the first visible sign that tokens have been enumerated.
- If you’re in the UK or US, place a fraud alert on your credit file. Go to Experian (experian.com), Equifax (equifax.com), or TransUnion (transunion.com) and place a free 90-day fraud alert. This makes it harder for anyone using your SSN or financial details to open new credit accounts in your name. In the UAE, contact Al Etihad Credit Bureau (aecb.ae) to check your credit report for anomalies.
Bottom Line
The Workday HCM API misconfiguration is exactly the kind of quiet, unglamorous data exposure that causes real financial harm to real people — and it’s the kind that organisations are slowest to catch because there’s no dramatic breach notification, just a configuration sitting wrong for months. Your salary details, your bank account, your SSN — all of it potentially readable by someone with the right API access. If your employer uses Workday, push your IT team to audit OAuth configurations now, not next quarter. And check your own payroll details today.
Original Report:
Workday HCM API Misconfiguration Exposes Employee Salaries and Bank Details at Fortune 500 Firms
Reported by: varonis.com
Digi Trendz Coverage: May 16, 2026
Digi Trendz covers cybersecurity news with independent analysis for readers in India, UAE, Saudi Arabia, UK and USA.
Our team reviews every article for accuracy before publication.
Leave a Reply