Broadcom has confirmed that sensitive employee data was stolen following a ransomware attack on its former payroll partner, Business Systems House (BSH), an incident that occurred in September 2024. The information came to light through an internal email informing affected employees of the breach, which has placed the company under scrutiny concerning the management and protection of personal data.
The attack, attributed to the El Dorado ransomware group, reportedly exposed a range of personal data, including national ID numbers, health insurance details, and financial account information. According to Ransomware Live, El Dorado claimed responsibility for the attack last November. Local law enforcement and data protection authorities have been notified as investigations continue to assess the full impact of the breach. BSH is reportedly collaborating with ADP and cybersecurity experts to strengthen their defenses against future incidents.
Despite Broadcom’s confirmation of the data theft, the company has noted that it no longer utilizes ADP for payroll services in the Middle East, having begun a transition to a different provider at the time of the ransomware incident. An internal communication from BSH stated that the complex nature of the stolen data required an extensive investigation to ascertain exactly which employees were affected, a process that was only completed by May 12, 2025.
ADP, however, has distanced itself from the breach, claiming that the incident only impacted a ‘small subset’ of its clients in certain Middle Eastern countries, and assured that there was no compromise of its systems. The spokesperson emphasized that ADP did not engage with the attackers, nor did it facilitate any ransom payments, consistent with reports that the stolen data was posted online following the attack. Meanwhile, Broadcom is advising affected individuals to enhance their security settings and monitor their financial accounts for unauthorized activity.