In August 2025, a leading human resources and financial management software provider, Workday, fell prey to a social engineering attack targeting a third-party customer relationship management (CRM) system. The incident exposed the company's business contact information, including names, emails, and phone numbers.

The same month, 2.5 million of Google's customer data records were compromised in a similar attack on its CRM system. One of the powerful IT companies in the world was victim to a voice phishing event that led to this incident.

Around that time, Farmer's Insurance, a leading US-based insurance company, was also suffered an attack which affected 1.1 million members of its customer base. The company confirmed in a statement that unauthorized actors gained access to a third-party database that contained sensitive customer information.

These are all different companies, from different regions and different sectors, catering to widely varied customer bases—yet they all have one thing in common: In each case, their CRM provided a gateway for malicious actors to gain entry to their sensitive systems, offload millions of records, and hold them for ransom.

Security is built into our DNA. While we take steps to improve product functionalities continually and keep up with the dynamically evolving needs of our customers, we make sure that every build shipped, every feature released, and every new change is built with security at its core—including Zoho CRM.

Our product's architecture is built with a security-first approach, which means that our customers can trust us to keep their data secure and protected but available for effortless business use.

 

At its foundation, Zoho CRM is protected by several layers of security—an approach which eliminates any risks to your data with preventive controls, continuous monitoring, and strict access governance.

At the infrastructure level, Zoho CRM operates on secure, globally distributed data centers with strong physical and network protection. Data is protected at rest and in transit to safeguard customers' sensitive data during operations. Regular security audits, vulnerability assessments, and compliance with global standards ensure that Zoho CRM's platform remains secure and reliable, making it ideal for enterprises and businesses for all sizes. Zoho complies with global standards such as SOC 2, ISO 27001, and several industry-specific certifications.

At the product level, Zoho's multi-tenant architecture emphasizes granular access controls, authentication, and traceability to keep its data secure. Role-based access, profile-based permissions, and field-level access restrictions, along with secure data-sharing rules, all ensure that users can only perform the operations (viewing, creating, editing, or deleting records) they're authorized to perform at the module- and field-level. Every action performed in the Zoho CRM system is logged for usage monitoring and anomaly detection through detailed audit trails. This enables organizations to enforce security while maintaining organizational policies.

As a vendor, Zoho takes utmost care to keep your data safe and secure, but security is a shared responsibility between the vendor and its customers. Particularly in the face of advanced threat attacks like phishing, sophisticated social engineering, ransomware, and malware attacks.

Threat actors employ a multitude of tactics to gain entry into their target systems and usually deploy an array of attack tactics. In the examples described, voice phishing—where threat actors call on some of the organization's CRM users pretending to be an IT assistant—was used to get users to perform actions that could compromise its data security. Another popular tactic is to get users to connect unauthorized applications or plug malware into their CRM systems, which would then siphon off data from the CRM system in small packages.

Such attacks call for joint action plans between us, the vendors, and you, as customers, to secure your data from attacks and threats. Below are some of the key security features and best practices that organizations can adopt at the user end to ensure complete data security.

Credential stuffing and password spraying account for the most prevalent automated cyberattacks, driven in part by frequent re-use of passwords and the use of weak authentication protocols. Individual password attacks and success rates are comfortingly low, at about 0.1% to 2%. However, given the larger scale of attacks that bots can facilitate, those success rates can hit as high as 40%, as stated in this article.

A simple yet effective way to guard your data against credential-related attacks is to secure them with multi-factor authentication with time-based one-time passwords (TOTP). Besides using strong passwords and never re-using passwords, MFA provides an additional layer of security to your data. Zoho offers OAuth support with its own application called Zoho OneAuth. Access via APIs is also secured via OAuth-based authentication mechanisms to secure your data. Zoho also supports single sign-on (SSO) using industry standards like SAML, if you're part of the ecosystem of Zoho apps.

In sales, external partners, third-parties, or vendors often need access to select pieces of information in your CRM. Zoho CRM offers secure client portals whereby external users—who aren't part of your organization—can securely access your system via authentication mechanisms such as OAuth and SSO.

 

A newly-joined sales rep doesn't have to access details of high-value deals in their first week on the job. The sales manager of one region—say, APAC—doesn't need access to customer history from another region. Enforce strong access controls and make sure users only have access to the data that they need to complete their tasks. Anything more than this compromises your data security and exposes sensitive data to unforeseen threats; anything less hinders productivity and forces your agents to run to others to gain access to data that they need to fulfill their jobs.

Zoho CRM offers profile-based and role-based access controls—the RBAC model—to ensure your data stays secure. Role-based user permissions limit access to users associated with roles such as sales reps, area manager branch managers, VPs, directors, and CEOs. Granular permission levels also define whether users can see their peers' data.

 

Use profile-based permissions to limit users' access to specific modules. That is, choose and limit what users can do in each module, like create, view, edit, or delete records. Zoho CRMs profile-based permissions help you avoid giving free reins to every single CRM user, while also ensuring they have access and permissions to carry out their activities without impeding productivity.

Zoho CRM's access permissions also offer field-level permissions where you can determine if users associated with a specific profile can access—create, edit, view or delete—specific fields in any module in the CRM. For example, if you have your customers' credit card information in your Leads module, you can mask that field so that CRM users (your sales agents) won't have access to that field.

When you restrict access to your applications to a range of IPs, you automatically end up securing your systems against unauthorized access and phishing attempts. Field sales agents connecting from other countries or other networks can secure their connections by using a VPN to access CRM. This ensure total security and protects you against unverified and untrusted IP accesses. You can implement an additional step, wherein systems connecting from unknown IPs are challenged to verify their identities and authenticate their access, as an additional security layer. 

Despite stringent access controls and protocols in place to keep your data safe, you might want to keep a trail of all activities performed in your CRM application. Zoho CRM enables you to do just that with audit logs, which is a detailed, time-stamped event history of all actions—user-performed activities, administrative actions, and key system events—performed in the application in chronological order. You can track record creation, record modification, approval submissions, workflows creation, and bulk activities such as mass record updates, deletions, and exports.

For easy access, users can filter out audit logs by actions performed. This way, users can filter entries in audit log based on the module, user, action type, or a selected date range.

 

Audit logs are accessible to all users. However, each user will only be able to view their own audit trail and not the audit logs of other uses. Admin users will have complete access audit logs, along with options to export them. Audit logs in Zoho CRM are maintained for up to three years.

When we say privacy and security are built into Zoho's core, that means that when you rely on our cloud infrastructure, our robust model ensures that infrastructure is shared for efficiency, while your data remains secure.

In Zoho CRM, tenant isolation is a core part of our security operations. The platform operates on a multi-tenant model with strict logical data isolation to ensure that each organization's data remains securely segregated. Even within a shared database infrastructure, access is governed through our sharing model, so one tenant's data is completely isolated and inaccessible to others. This approach enables businesses to scale efficiently while maintaining strong data privacy and security boundaries.

Zoho CRM maintains industry-recoginized certifications including ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018, and we undergo SOC 2 Type II independent audits. These certifications validate Zoho's cloud security controls and information security management, and ensures protection of personally identifiable information (PII).

Zoho also complies with global privacy regulations such as GDPR and industry-specific regulations like HIPAA. Zoho is subject to periodic external audit from certified audit bodies and third parties that assess and validate our security and privacy posture.

In Zoho CRM, security isn't an afterthought, it's a layer that is embedded across the CRM platform. From access controls to monitoring and compliance readiness, Zoho CRM is designed to protect your data at every step without compromising usability. As organizations scale and grow, this security-first approach ensures that teams can operate with confidence that their data is safe, governed, and always under their control.