U.S.-based semiconductor giant **Broadcom** suffered a **third-party ransomware attack** in September, targeting **Business Systems House (BSH)**, a partner of its former payroll provider **ADP**. The breach, attributed to the **El Dorado ransomware gang** (linked to BlackLock), resulted in the theft of **Middle Eastern employees' sensitive data**, including birthdates, email addresses, phone numbers, home addresses, national ID numbers, health insurance details (IDs, policy numbers), financial account numbers, salary information, and employment termination dates. While ADP clarified that only a **'small subset' of clients in select Middle Eastern countries** were affected and denied direct involvement or ransom payments, the incident occurred during Broadcom’s transition to a new payroll provider. The full scope of the breach remains undisclosed, but the compromised data poses significant risks of identity theft, financial fraud, and reputational harm to affected employees.
Source: https://www.scworld.com/brief/third-party-breach-impacts-broadcom-employee-information
Broadcom cybersecurity rating report: https://www.rankiteo.com/company/broadcom
"id": "BRO4981349111725",
"linkid": "broadcom",
"type": "Ransomware",
"date": "5/2025",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'semiconductor manufacturing',
'location': 'United States (global operations, breach '
'impacted Middle Eastern employees)',
'name': 'Broadcom Inc.',
'size': 'large (multinational)',
'type': 'public company'},
{'customers_affected': 'small subset of clients '
'(including Broadcom)',
'industry': 'payroll services',
'location': 'Middle East',
'name': 'Business Systems House (BSH)',
'type': 'private company (ADP partner)'},
{'customers_affected': 'small subset of Middle Eastern '
'clients',
'industry': 'payroll and HR services',
'location': 'United States (global operations)',
'name': 'ADP (Automatic Data Processing)',
'size': 'large',
'type': 'public company'}],
'attack_vector': ['supply chain attack',
'third-party compromise (payroll provider partner)'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (includes national IDs, '
'financial accounts, and health '
'insurance details)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'financial data',
'employment records',
'health insurance details']},
'description': 'U.S. multinational semiconductor manufacturing company '
"Broadcom had its Middle Eastern employees' data stolen "
'following a September ransomware attack against **Business '
'Systems House (BSH)**, a partner of its former payroll '
'services provider **ADP**. The breach, claimed by the **El '
'Dorado ransomware gang** (linked to **BlackLock**), occurred '
"during Broadcom's transition to another payroll provider. "
"Compromised data may include employees' birthdates, email "
'addresses, phone numbers, home addresses, national ID '
'numbers, national health insurance ID numbers, health '
'insurance policy numbers, financial account numbers, salary '
'details, and employment termination dates. ADP stated the '
"incident impacted only a 'small subset' of clients in some "
'Middle Eastern countries and confirmed no ransom was paid by '
'ADP or BSH (to their knowledge).',
'impact': {'brand_reputation_impact': 'potential reputational harm due to '
'sensitive employee data exposure',
'data_compromised': ['birthdates',
'email addresses',
'phone numbers',
'home addresses',
'national ID numbers',
'national health insurance ID numbers',
'health insurance policy numbers',
'financial account numbers',
'salary details',
'employment termination dates'],
'identity_theft_risk': 'high (due to exposure of PII and financial '
'data)',
'payment_information_risk': 'high (financial account numbers '
'compromised)'},
'initial_access_broker': {'high_value_targets': 'employee PII and financial '
'data'},
'investigation_status': 'ongoing (limited details disclosed)',
'motivation': 'financial gain (ransomware)',
'post_incident_analysis': {'root_causes': ['third-party vulnerability (BSH '
'compromise)',
'supply chain risk during payroll '
'provider transition']},
'ransomware': {'data_exfiltration': True,
'ransomware_strain': 'El Dorado (linked to BlackLock)'},
'references': [{'source': 'The Register'}],
'response': {'communication_strategy': 'public disclosure via The Register; '
'ADP issued a statement clarifying '
'limited impact and no ransom payment'},
'threat_actor': ['El Dorado ransomware gang', 'BlackLock operation'],
'title': "Broadcom Middle Eastern Employees' Data Breach via Third-Party "
'Ransomware Attack',
'type': ['data breach', 'ransomware attack', 'third-party breach']}