The recent disclosure of a ransomware-driven data breach at Broadcom has sent fresh ripples through the tech and cybersecurity community, highlighting the persistent risks inherent in supply chain and third-party data management. As reported by The Register, a Middle Eastern partner of payroll services giant ADP, Business Systems House (BSH), fell victim to a ransomware attack in September 2024—a breach that ultimately resulted in the compromise of sensitive Broadcom employee data.

The incident’s timeline underscores the challenges organizations face in monitoring and securing extended vendor ecosystems. Broadcom, a multinational semiconductor and infrastructure software company, had utilized ADP for payroll processing, with BSH functioning as ADP’s regional provider in the Middle East. At the time of the breach, Broadcom was already in the process of transitioning away from both ADP and BSH, but crucially, the switch had not been finalized when attackers struck.

According to internal communications cited by The Register, BSH/ADP discovered the breach in late September 2024. However, it was not until December 2024 that they realized employee data had been made accessible on the internet. Because the stolen information was in an “unstructured format,” as noted in the company’s notification to affected staff, BSH and ADP faced significant delays in identifying the full scope of impacted data and individuals. Broadcom itself was not alerted to the details until May 12, 2025—almost eight months after the initial intrusion.

“The data taken by the criminal actor was in an unstructured format, [so] definitively determining which employees were impacted and, for each employee, which data fields were disclosed, was a lengthy process for BSH/ADP,” read an internal email shared by The Register. This delay left employees in a prolonged state of uncertainty about whether their personal information—potentially including names, payroll details, identification numbers, and contact information—had been exposed.

Further reporting by TechNadu points to the El Dorado ransomware group as the orchestrators of the attack on BSH. The group, which has been active in targeting third-party service providers, managed to exfiltrate employee data as part of its campaign. The incident demonstrates how cybercriminals increasingly target the weakest link in a large organization’s digital supply chain, rather than the primary target itself.

Broadcom’s experience aligns with broader industry concerns over vendor risk management. The process of transitioning payroll providers, already complex given compliance and regional legal considerations, was further complicated by the lack of timely breach disclosure from BSH and ADP. Both firms have reportedly engaged with law enforcement and data protection authorities and taken steps to “harden BSH’s environment to protect from similar attacks” going forward, according to statements published in The Register.

For other enterprises, the incident serves as a potent reminder of the limitations of perimeter-based security and the need for a “trust but verify” approach—even when delegating critical HR and payroll processing to established third parties. Broadcom’s own documentation—unrelated to the breach but broadly relevant—has emphasized the importance of assuming compromise, regularly auditing vendor controls, and implementing rigorous incident response protocols.

While Broadcom no longer contracts with ADP or BSH for its payroll operations, the fallout from the breach will likely reverberate for months as investigations continue and affected individuals take precautions against potential identity theft or social engineering attempts. The episode highlights the growing imperative for real-time information sharing among vendors, clients, and authorities when sensitive data is involved.

As the industry digests the ramifications of the Broadcom breach, the message is clear: the trust placed in business partners is only as strong as the weakest point in their digital defenses, and delays in breach reporting can have lasting consequences for data security and corporate reputation.