A ransomware attack on a Middle Eastern payroll services provider has resulted in a significant data breach affecting employees of semiconductor giant Broadcom. The breach stems from a supply chain compromise that ultimately led to sensitive employee information appearing on the dark web.
The incident traces back to September 2024, when Business Systems House (BSH)—a human capital management (HCM) provider and business partner of payroll giant ADP—was hit by a ransomware attack carried out by the El Dorado gang, which has since rebranded as BlackLock. At the time of the breach, Broadcom was still in transition from ADP to a new payroll provider and was indirectly impacted by the compromise.
Broadcom and ADP discovered in December 2024 that stolen data had been published online, but it wasn’t until May 12, 2025 that Broadcom received full clarity on what data had been compromised.
“Because the data taken by the criminal actor was in an unstructured format, definitively determining which employees were impacted and, for each employee, which data fields were disclosed, was a lengthy process for BSH/ADP, and this information was not made available to Broadcom until May 12, 2025.”
According to a report from The Register, the stolen data set included:
- National ID numbers
- National health insurance ID numbers
- Health insurance policy/ID numbers
- Financial account numbers
- Dates of birth
- Salary details
- Employment termination dates
- Personal email addresses
- Personal phone numbers
- Home addresses
Broadcom responded to the breach by urging affected individuals to enable multi-factor authentication (MFA) on all financial accounts and to monitor financial activity closely. The company emphasized the need for elevated personal security precautions in light of the data exposed.
The ransomware group responsible, originally named El Dorado, first surfaced in March 2024 and has since rebranded as BlackLock. The stolen Broadcom data was ultimately posted to the BlackLock leak site. The group is believed to consist of Russian-speaking threat actors and has quickly escalated its operations in the cybercrime ecosystem.
Broadcom serves some of the world’s largest companies across key industries such as technology, finance, and telecommunications—its clients include Apple, Samsung, Cisco, and British Airways, among others. While The Register notes that ADP itself has not been publicly tied to any direct data loss in this incident, its partner’s breach still raises questions about supply chain cybersecurity risks.
