Published: May 20, 2025 | By: The Fifth Skill Editorial Team
A supply chain ransomware attack on Middle Eastern HR services provider Business Systems House (BSH) has led to the exposure of sensitive Broadcom employee data on the dark web. Despite initial confusion, it has been confirmed that ADP’s infrastructure and systems were not affected by this incident.
How Did the Breach Happen?
In September 2024, a ransomware group known as El Dorado (now rebranded as BlackLock) infiltrated the systems of Business Systems House, a human capital management provider that services clients in the Middle East.
While BSH is a partner of ADP, the attack was isolated to BSH’s environment. A small subset of ADP clients who utilize BSH’s payroll services were indirectly impacted. Among them was Broadcom, which was in the process of transitioning providers at the time of the breach.
What Data Was Exposed?
The data published on the BlackLock leak site reportedly includes:
- National ID numbers
- Health insurance policy and ID numbers
- Financial account details
- Dates of birth
- Salary and employment termination details
- Personal email addresses and phone numbers
- Home addresses
Timeline of the Incident
- September 2024: BSH systems breached by ransomware group El Dorado
- December 2024: Broadcom is notified of potential impact to its employee data
- May 12, 2025: After deep analysis of unstructured data, BSH/ADP provide detailed clarification to Broadcom
Broadcom’s Recommendations to Employees
In response, Broadcom urged all potentially affected individuals to:
- Enable multi-factor authentication (MFA)
- Closely monitor bank and credit activity
- Use advanced security features from financial institutions
Who Is BlackLock?
Originally called El Dorado, the ransomware group rebranded as BlackLock in early 2025. It is believed to consist of Russian-speaking hackers and operates by publishing sensitive data on its dark web “leak site” when ransom demands are not met.
Clarification from ADP
“This was not an ADP incident. The breach occurred at Business Systems House (BSH), which included a small number of ADP clients in the Middle East. ADP systems, infrastructure, and data remain secure and unaffected.”
ADP further confirmed that the BSH incident has been contained and no additional impact is expected.
Editor’s Note:
This article was updated on May 20, 2025, to reflect factual clarifications provided by ADP. The headline and body text were revised to clarify that the breach did not originate within ADP’s systems, and that Broadcom was first notified in December 2024.
