A ransomware attack targeted **Business Systems House (BSH)**, a Middle Eastern payroll partner of **ADP**, in **September 2024**, leading to the theft of **Broadcom’s employee data**. The compromised data was leaked online in **December 2024**, but Broadcom was not notified until **May 2025**—an eight-month delay. The **El Dorado ransomware group** claimed responsibility, exploiting Broadcom’s ongoing transition between payroll providers. The breach exposed sensitive employee information, including personal and financial details, while Broadcom was still dependent on ADP and BSH for payroll processing. The incident underscores critical vulnerabilities in **third-party supply chain security**, particularly during vendor transitions, and highlights the prolonged risks of undetected data exfiltration in ransomware attacks. The delayed disclosure further exacerbated reputational and operational risks for Broadcom, a global semiconductor and infrastructure software leader.
Source: https://databreaches.net/2025/05/17/ransomware-attack-on-adp-partner-exposes-broadcom-employee-data/
Broadcom cybersecurity rating report: https://www.rankiteo.com/company/broadcom
"id": "BRO3362533111725",
"linkid": "broadcom",
"type": "Ransomware",
"date": "9/2024",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': ['semiconductor',
'infrastructure software'],
'location': 'global (HQ in San Jose, California, USA)',
'name': 'Broadcom Inc.',
'type': 'multinational corporation'},
{'customers_affected': 'Broadcom employees (data '
'compromised)',
'industry': 'payroll services',
'location': 'Middle East',
'name': 'Business Systems House (BSH)',
'type': 'regional payroll service provider'},
{'industry': 'HR and payroll services',
'location': 'global (HQ in Roseland, New Jersey, USA)',
'name': 'ADP (Automatic Data Processing)',
'type': 'payroll services giant'}],
'attack_vector': 'third-party vendor (BSH, a regional partner of ADP)',
'data_breach': {'data_exfiltration': 'yes (leaked online in December 2024)',
'personally_identifiable_information': 'likely (employee '
'data)',
'sensitivity_of_data': 'high (employee records)',
'type_of_data_compromised': ['employee data']},
'date_detected': '2024-09',
'date_publicly_disclosed': '2025-05',
'description': 'A ransomware attack on Business Systems House (BSH), a Middle '
'Eastern partner of payroll provider ADP, resulted in the '
'theft of Broadcom employee data in September 2024. The data '
'was leaked online in December 2024, but Broadcom was not '
'informed until May 2025. The El Dorado ransomware group '
"claimed responsibility. The breach occurred during Broadcom's "
'transition away from ADP and BSH as payroll providers.',
'impact': {'brand_reputation_impact': 'negative (ripples through tech and '
'cybersecurity community)',
'data_compromised': ['Broadcom employee data'],
'identity_theft_risk': 'potential (employee data exposed)'},
'initial_access_broker': {'data_sold_on_dark_web': 'yes (leaked online in '
'December 2024)',
'high_value_targets': ['Broadcom employee data']},
'investigation_status': 'disclosed (May 2025)',
'motivation': ['financial gain', 'data theft'],
'post_incident_analysis': {'root_causes': ['third-party vendor vulnerability '
'(BSH)',
'supply chain risk during '
'transition period']},
'ransomware': {'data_exfiltration': 'yes', 'ransomware_strain': 'El Dorado'},
'references': [{'source': 'The Register'}],
'threat_actor': 'El Dorado ransomware group',
'title': 'Ransomware Attack on Business Systems House (BSH) Leading to '
'Broadcom Employee Data Theft',
'type': ['ransomware', 'data breach', 'supply chain attack']}