- Business Systems House experienced a breach in September
- The firm is a partner of ADP, which previously served Broadcom
- Sensitive data belonging to Broadcom has surfaced on the dark web
In a recent cybersecurity incident, sensitive information from Broadcom, a global leader in semiconductor technology, has been compromised and is now accessible on the dark web as a consequence of a two-step supply chain attack. The breach was traced back to Business Systems House (BSH), a human capital management (HCM) service provider located in the Middle East, which fell victim to a ransomware attack executed by a cyber group initially known as El Dorado, later rebranded as BlackLock, in September 2024.
BSH has established itself as a business partner of the payroll processing company ADP, which has serviced Broadcom in the past. Interestingly, the semiconductor giant was transitioning to a new payroll provider at the time of the attack, nearly escaping this significant breach.
By December 2024, BSH and ADP identified the leaked data on online platforms. Due to the disorganized nature of the stolen data, it took considerable time for BSH and ADP to ascertain which employees were affected, and the specific details of the information compromised. It wasn’t until May 12, 2025, that Broadcom received this crucial information.
El Dorado or BlackLock
The Register, a tech news outlet that broke the story, reported that the stolen data includes a range of sensitive personal information. Among the data compromised are national ID numbers, health insurance identification numbers, financial account details, dates of birth, salary information, employment termination dates, and personal contact information, such as email addresses and phone numbers.
In response to this breach, Broadcom has urged its clients to enable multi-factor authentication (MFA) along with any additional security measures provided by their financial institutions. The company has also advised users to keep a close eye on their financial records for any irregularities.
It’s worth noting that El Dorado, which made its debut as a ransomware group in March 2024, has already undergone a rebranding to BlackLock. The data stolen from Broadcom was subsequently posted on the BlackLock leak site, allegedly operated by Russian-speaking affiliates.
Broadcom serves a diverse clientele across several sectors, including technology, finance, healthcare, and telecommunications, with notable clients like Apple, Samsung, and Cisco among others. While The Register reports that ADP has also been scrutinized in this incident, no confirmed data losses from that firm have been reported as of yet.
This breach highlights the elevated risks associated with supply chain vulnerabilities, where adversaries exploit third-party relationships to penetrate larger organizations. According to the MITRE ATT&CK framework, tactics such as initial access, which may involve spear-phishing or exploiting vulnerabilities, as well as persistence and privilege escalation, may have played critical roles in this incident.
This situation serves as a clarion call for organizations to assess their cybersecurity measures, particularly those within interconnected supply chains, and emphasizes the importance of rigorous data protection protocols.
