As enterprise resource planning (ERP) system administrators and consultants, prioritizing data security is our foremost concern. We collaborate with vendors to establish secure endpoints for file transfer, implement robust system security measures, and take various other steps to protect sensitive information within the system. However, what if there was a hidden threat lurking right under our noses, and we weren't even aware of it? This blog post sheds light on a concerning trend where users are sharing their ERP system credentials, unaware of the risks involved.
The Deceptive Practice
Believe it or not, a growing number of users are willingly providing their Workday login information to external companies without realizing the potential dangers. In certain situations, these companies claim to need access to the ERP system credentials to perform tasks like setting up direct deposits or verifying employment. Users might trust these applications and willingly share their login details, assuming that there is a valid agreement between the third-party company and their employer to access data in Workday. However, this couldn't be further from the truth.
Unregulated Backdoor Access
The truth is that there exists no valid agreement between these financial companies (e.g., Chime, MoneyLion, PerPay, Cleo) and the targeted ERP or payroll system for accessing user credentials. These financial companies often partner with Payroll API companies like Atomic, Pinwheel, and Plaid to gain backdoor access to ERP and payroll systems. They use the captured credentials to authenticate as the named user and run scripts using a robotic process automation (RPA) bot through the UI to collect data. Because they're logging in as the user and it's a UI session, they have the security to access any task or data for which that user has the security. This process of open data aggregation via payroll API companies is becoming increasingly prevalent and poses significant risks to data security.
Understanding the Growing Industry
Open data aggregation is a burgeoning industry, and these various financial companies are actively convincing users to share their ERP credentials on an increasingly larger scale. This concept is being called an "Open Finance ecosystem" and the idea is that end users own their own data and may grant access to such data to third parties as they wish. Although the idea of user data ownership is legitimate, allowing a user to share their access to any system containing others' data must be strictly forbidden.
Protecting Your ERP System Credentials
As data and security professionals, it's crucial to educate ourselves and our users about the risks associated with sharing ERP system credentials. We must stress the importance of not providing login information to anyone, no matter how legitimate their requests may seem. Additionally, advocating for multi-factor authentication and regular system audits can bolster the security of ERP and payroll systems.
Conclusion
The growing trend of users sharing their ERP credentials with external companies poses a significant threat to data security. As professionals responsible for safeguarding sensitive information, we must stay vigilant and educate users about the risks involved. By promoting secure practices and raising awareness about the potential dangers of open data aggregation, we can better protect our systems and data from unregulated access and potential breaches. Remember, it's never okay to share your ERP system credentials, and together, we can maintain a safer digital environment.
For more information on payroll API companies and open data aggregators, check these out:
Atomic:
Pinwheel:
Robotic Process Automation (RPA) bots:
Open data aggregators:
More about how payroll APIs work: