A stolen Workday ISU has no human to reset: mass HR and payroll theft
A Workday Integration System User is a non-human service account with a key. Stolen and over-privileged, it pulls full-population payroll and PII reports for exfiltration.
Workday Integration System Users are the non-human accounts that drive payroll feeds, provisioning, and reporting. They hold standing access and authenticate with a key, not a person, so if the attacker is a key, there is no human to reset.
How the attack works
An attacker obtains the credentials for an over-privileged ISU and drives the Workday integration and report APIs to pull mass HR, payroll, and PII reports, a common pre-extortion theft pattern. The Workday signon audit shows the ISU authenticating from a new source outside its scheduled integration window, then Report-as-a-Service calls for worker roster, compensation, and tax data spike far above the normal nightly delta feed. Full-population reports including national IDs, bank routing, and compensation are exported and shipped off-platform. In ATT&CK terms this is T1078, Valid Accounts, paired with T1567, Exfiltration Over Web Service.
Why it works
An ISU has a tight, predictable baseline: one source, one window, one delta-sized feed. The credential had no expiry or source restriction and the ISU held broad report access, so a stolen key acted with standing trust and no human controls in the loop.
How to fix it
The principal is the ISU’s key, so you cannot send it to MFA or a password reset. Disable the ISU in Workday and rotate its credential, which terminates its active sessions and breaks the integration’s auth, then scope what it pulled. A firewall IP block is bypassed by changing source, and resetting a human’s password is irrelevant. For the root cause, scope every ISU to least-privilege security groups, restrict each to an allow-listed source IP range, set credential expiry and rotation, and review which integrations may run full-population PII reports. Scope the theft from the report execution log, which names each report run and its population, and assess employee-PII notification by data type and jurisdiction.
Practice it
We built this as a GraphLattice Range scenario so responders can rehearse disabling and rotating a stolen ISU and scoping the PII that left from the execution log.