Broadcom employee data compromised by a ransomware attack

A ransomware attack on a Middle Eastern business partner of payroll services provider ADP, dubbed Broadcom, has resulted in the theft of personal data belonging to current and former employees.

The breach occurred in September 2024 at Business Systems House (BSH), a regional payroll vendor working with ADP.

At the time, the affected entity was in the process of moving away from BSH/ADP for payroll services in the Middle East. Despite the transition, sensitive employee data was still exposed during the attack.

According to an internal notification sent to impacted individuals, BSH and ADP became aware of the ransomware incident in late September. By December 2024, it was confirmed that some of the stolen data had been leaked online.

Due to the data’s unstructured format, BSH/ADP did not determine the scope of the breach and which employees were affected until May 12, 2025. Hence, the delay postponed Broadcom’s ability to alert its workforce.

To respond to the incident, BSH and ADP worked with incident response consultants and digital risk experts to assess the breach and implement additional safeguards. Local law enforcement agencies and relevant data protection authorities were also notified.

 

The El Dorado ransomware group has claimed credit for the attack on Broadcom.

 

According to reports, the El Dorado ransomware group claimed responsibility for the alleged Broadcom cyberattack in November 2024.

First emerging earlier that year, El Dorado quickly became a notable threat actor in the cybercrime community. It is now believed to have links to or rebranded as the Russian-speaking group BlackLock.

Although El Dorado’s leak site went offline earlier this year, BSH now appears on BlackLock’s active leak platform.

Privately sourced threat intelligence, compiled through analysis of known malware activity, indicates that at least five Broadcom-related employee accounts were compromised via infostealer tools.

This exposure could affect up to 560 users and may have led to the leakage of login credentials tied to 35 additional organisations through third-party service connections.

Still, Broadcom has not issued a public statement on the matter or confirmed the full extent of the breach.

On the other hand, a subsidiary of the affected entity stated that it is the only company under Broadcom’s umbrella identified in the data directories leaked by BlackLock.

The compromised data varies by individual but may include national identification numbers, health insurance ID and policy numbers, financial account details, dates of birth, salary information, employment termination dates, personal email addresses, phone numbers, and residential addresses.

In its internal guidance, Broadcom advised affected individuals to activate MFA for financial services, use enhanced security settings where available, and monitor personal accounts for any signs of unauthorised or suspicious activity.