Workday Security

Washington University recently adopted Workday, a cloud-based software system for managing finances, human resources, and planning. The new system provides a single, integrated system for managing multiple facets of daily operations at WashU. 

WashU takes the security of your data and our systems seriously. Therefore, the system that we use to manage sensitive information such as personal and payroll data must demonstrate strong security. Workday offers several important security features. The software automatically encrypts all user data before it is stored in the database using the Advanced Encryption Standard and a unique encryption key for each customer. In addition, Workday uses Transport Layer Security (TLS) to protect user access over the internet, preventing eavesdropping, tampering, and forgery. Our Workday implementation features Multifactor Authentication via WUSTL Key and WashU DUO 2FA to create a barrier to entry for credential phishers who may try to log into your account. Workday applications are hosted in secure data centers under constant surveillance, and the software company contracts with third-party firms that conduct regular vulnerability assessments of their systems. More information about Workday security features is available on the company’s website:

Workday does its part to ensure the security of their software and systems, but cybercriminals continuously attempt to capture login credentials for these types of systems. The Workday system contains troves of sensitive personal information and is important to the daily operations of our institution. As such, it is an appealing target for cybercriminals who attempt to phish our users for login credentials with the goal of holding this vital data ransom or rerouting direct deposit payments. For example, in 2018 cyberattackers infiltrated the computer systems of Roadrunner Transportation Systems, Inc., a Wisconsin-based freight services company. According to Roadrunner’s lawyer, the hacker gained access to Workday by sending phishing emails to the company’s employees. In the attack, the hackers modified the direct deposit information of some employees. Fortunately, Roadrunner detected the changes before any funds had been transferred. 

Cyberattackers are eager to get into systems like Workday, so it is crucial that each of us remains on guard for phishing attempts. Your vigilance is especially important during this rollout because our deployment dates are widely available online, providing potentially useful information to phishers who may attempt to attack our users and institution. We expect to be targeted by phishing attacks as we implement this new system, and we’re counting on you to help keep WashU secure by detecting and reporting phishing attempts. An example of a Workday phishing attempt serves as the “Scam of the Month” in this edition of our newsletter. 

If you receive a phishing attempt, please report it to the Office of Information Security by forwarding the message to We will investigate the threat and, if necessary, eliminate the phishing message throughout our system. When you report phishing to our office, you protect yourself, your colleagues, and the entire institution from cybercrime. Thank you for all that you do to help keep WashU secure.