Broadcom employee data stolen by ransomware crooks following hit on payroll provider

Updated

A ransomware attack at a Middle Eastern business partner of payroll company ADP has led to customer data theft at Broadcom, The Register has learned.

It's understood Broadcom's HR department has begun the process of informing current and former staff who are affected by the September ransomware attack at Business Systems House (BSH). 

Broadcom no longer uses ADP or by extension BSH for payroll in the Middle East, the internal email confirmed, and at the time of the incident the company was in the process of switching payroll providers.

"In late September, 2024, BSH/ADP became aware of the ransomware attack," reads an email to affected individuals. 

"In December, 2024, BSH/ADP became aware that personal data was made available on the internet. Because the data taken by the criminal actor was in an unstructured format, definitively determining which employees were impacted and, for each employee, which data fields were disclosed, was a lengthy process for BSH/ADP, and this information was not made available to Broadcom until May 12, 2025.

"BSH/ADP have been working with ADP and outside experts to investigate the incident and take the necessary steps to harden BSH's environment to protect from similar attacks. Local law enforcement and data protection authorities have been notified."

According to open source tracker Ransomware Live, the El Dorado ransomware group claimed responsibility for the attack in November.

Launched in March 2024 and quickly dubbed by some researchers as "the new golden empire of cybercrime," El Dorado is now suspected to have links to the BlackLock group. 

Those links aren't clear or confirmed, but multiple researchers have posited that BlackLock is a rebrand of El Dorado. Both are Russian-speaking groups.

The El Dorado leak blog has been unavailable since March, and BSH appears as a victim on BlackLock's site, which remains online.

Infostealer data supplied to Ransomware Live by security shop Hudson Rock also indicates five employees had their accounts compromised. This led to 560 total compromised users and five third-party employee credentials stolen, potentially opening up the attack surface to 35 additional companies.

The Register contacted a range of high-profile companies ADP lists on its website as customers, and those named in El Dorado's/BlackLock's files, asking if they too were compromised, and if so to what degree, but we received almost no definitive responses. 

Tyre giant Michelin, not mentioned in the El Dorado/BlackLock file trees but listed as a customer on ADP's website, confirmed it was not affected, however.

The only Broadcom company listed among the various file directories on BlackLock's leak site is VMware, although Broadcom has not confirmed the scope of the incident.

Broadcom did not respond to our request for comment.

As ever in cases involving data theft, the types of data stolen would be different for each affected individual. To protect the source of the story, The Register won't report the specific stolen data types with respect to the individual in question, but below are all the possible data points potentially affected:

• National ID numbers
• National health insurance ID numbers
• Health insurance policy/ID numbers
• Financial account numbers
• Dates of birth
• Salary details
• Employment termination date
• Personal email addresses
• Personal phone numbers
• Home addresses

Broadcom urged affected individuals to "enable multi-factor authentication and any other enhanced security settings offered by your financial institutions," as well as monitoring financial records for unauthorized or unexpected activity.

ADP distances itself

ADP spokesperson told The Register "only a small subset of ADP clients" were affected by the breach at BSH, and only "certain countries in the Middle East" were involved.

The spokesperson went on to say that there was no impact to its systems, infrastructure or data within the ADP environment – the attack only affected BSH – and the incident is now resolved, to the best of its knowledge.

"As this was not an ADP incident, we did not directly engage or interact with the bad actor and did not receive any direct communication from them," they said. 

"We did not make or facilitate a ransom payment and, to the best of our knowledge, are not aware of any ransom payment made by BSH."

The comment about not paying a ransom tracks, since El Dorado plastered the data online. In the typical double extortion model of ransomware negotiations, criminals threaten to publish data online if a ransom isn't paid. 

There would be no reason to trust paying an El Dorado ransom if it reneged on a promise not to publish data in exchange.

"We take these matters very seriously and have robust measures in place to address them," the ADP spokesperson added. "As soon as we were made aware of the impact to our clients and their employees, we took significant action to protect them and help BSH contain and remediate their security issue. 

"Our technical and security experts: (a) provided voluntary notifications to the established privacy regulators in the identified impacted countries; and (b) worked closely with BSH and their incident response partner, and third-party experts to advise on incident investigation and resolution. We also worked closely with identified impacted clients and sought to notify them of any potential impact to their employees so they could take appropriate action." ®

Updated to add on May 19, 2025

In a statement, BSH confirmed to us it did not make a ransom payment to the intruders: