Broadcom confirms employee data exposed in supply chain ransomware breach

Broadcom employees’ personal data has surfaced on the dark web following a ransomware attack in September 2024 that targeted Business Systems House (BSH), a human capital management services provider based in the Middle East. BSH, which worked with payroll firm ADP, was previously involved in managing payroll operations for Broadcom in the region.

The incident, attributed to the ransomware group El Dorado—later suspected to have rebranded as BlackLock—compromised BSH’s systems and led to the theft of unstructured employee data. Although Broadcom was transitioning to a new payroll provider at the time of the breach, some employee data remained within BSH’s systems. The breach was discovered in late 2024, but due to the complexity and format of the stolen data, Broadcom was not informed of the specific impact until May 12, 2025.

Broadcom has begun notifying affected current and former employees. The compromised data potentially includes national identification numbers, health insurance details, financial account information, personal contact information, salary details, and employment termination dates. The company has advised those affected to activate multi-factor authentication and monitor financial accounts for suspicious activity.

The leaked information was initially linked to El Dorado in November 2024, though the group’s leak site went offline in March 2025. BSH now appears as a victim on BlackLock’s active leak site. Security analysts suggest the two groups are connected, though direct confirmation is lacking. Open-source data shared by cybersecurity firm Hudson Rock indicates that five compromised employee accounts led to wider exposure, affecting hundreds of users and potentially increasing the risk for dozens of affiliated firms.

ADP has confirmed that only a limited number of its clients in select Middle Eastern countries were affected. It emphasized that its own systems were not breached and that it did not interact with the threat actors or facilitate any ransom payment. The ransomware operators published the stolen data online, consistent with a failed extortion attempt.

ADP reported the breach to local authorities and worked alongside BSH and external security experts to investigate the incident and harden systems against future attacks. The company also collaborated with impacted clients to ensure timely notification and remediation efforts. Broadcom has not commented publicly on the incident.