“In late September, 2024, BSH/ADP became aware of the ransomware attack,” reads an email to affected individuals. It’s understood Broadcom’s HR department has begun the process of informing current and former staff who are affected by the September ransomware attack at Business Systems House (BSH). If you use ADP, your best move from here is to contact them directly to find out if any of your employee records were impacted. It is also probably a good idea to have your networked scanned and evaluated for security risks.

adp security breach

In connection with providing payroll, tax and benefits administration, ADP stores tax and salary information, such as W-2s, for each of its customer’s employees. For some ADP customers, employees can view this information themselves by registering with ADP’s self-service portal. ADP has thus far not released information on how many records were put at risk by the successful hack against them, and security experts stress that ADP itself was not hacked. The breach was discovered after several customers reported fraudulent transactions made through ADP’s self-service portal. InstaCart, a grocery and home essentials delivery service, denies a data breach is the source of customer information being sold online on hacker forums. It says it believes the information was stolen from its platform using a “credential stuffing” attack.

Broadcom Employee Data Leaked After Supply Chain Breach at ADP Partner

Customers of the global semiconductor giant Broadcom have had their sensitive data leaked on the dark web after a two-step supply chain attack. The report of the breach came barely a week after another company was reported to have its customer data breached from its database by using another third-party provider as an entryway for compromise. Unfortunately, due to the multitude of breaches that have occurred over time, such personal information is widely available for purchase by malicious actors on the dark web and the black market. Additionally, many companies post unique ADP identification codes publicly for the convenience of their employees. Although the company did not say how many customers were affected by the breach, South African Banking Risk Centre, an anti-fraud and banking non-profit, claims the breach affected 24 million South Africans and 793,749 local businesses. Justice Department charges Joseph Sullivan, 52, former chief security officer at Uber, for allegedly paying hackers $100,000 to hide a 2016 data breach at the company that affected 57 million users and drivers.

System vulnerabilities

In response, BSH engaged an incident response partner and third-party experts in order to conduct a forensic analysis as to the root cause of the incident. BSH did not directly engage or interact with the bad actor nor make or facilitate a ransom payment. Real-time data breach monitoring by scanning public databases, criminal forums, and online markets to detect exposed credentials and sensitive data. Due to the disorganized nature of the stolen data, it took considerable time for BSH and ADP to ascertain which employees were affected, and the specific details of the information compromised. The data exposed in the breach included tax information of employees of some ADP clients. The agency says the company did not have enough risk management controls in place before the incident took place.

  • The company previously said payment details were not affected by the attack, which has affected hundreds of universities, healthcare providers, and other organizations around the globe.
  • Across technology, environmental, process, and health, our priority is to identify and mitigate our own risk.
  • In those cases, the fraudsters also already had the victim’s SSN, DoB and other personal data.

Cybersecurity & Risk Management Library

It’s worth noting that El Dorado, which made its debut as a ransomware group in March 2024, has already undergone a rebranding to BlackLock. The data stolen from Broadcom was subsequently posted on the BlackLock leak site, allegedly operated by Russian-speaking affiliates. The personal information needed to open the account was not stolen from adp security breach ADP, Cloutier stressed.

MostereRAT Targets Windows Users With Stealth Tactics

In a recent cybersecurity incident, sensitive information from Broadcom, a global leader in semiconductor technology, has been compromised and is now accessible on the dark web as a consequence of a two-step supply chain attack. ADP Chief Security Officer Roland Cloutier explained that to create an account, users need to sign up using their name, social security number and date of birth—pretty basic information that can be easily lifted by skilled hackers. The victim companies were the ones that published their signup link and code somewhere publically accessible. A ransomware attack on Business Systems House (BSH), a Middle Eastern partner of payroll provider ADP, led to Broadcom employee data theft in September 2024. The El Dorado ransomware group claimed responsibility for the breach, which occurred as Broadcom was transitioning payroll providers. A recent ransomware attack on Business Systems House (BSH), a partner of payroll provider ADP in the Middle East, resulted in the breach of employee data belonging to Broadcom.

  • “Once the fraudulent registration was established, they were able to view or download your W-2,” said Carlson.
  • A ransomware attack at a Middle Eastern business partner of payroll company ADP has led to customer data theft at Broadcom, The Register has learned.
  • If this policy and ADP’s procedures are followed, ADP pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems, provided that the following conditions are met.
  • Some client companies were not careful enough with these codes and posted them publicly on their websites.
  • As soon as we were made aware of the impact to our clients and their employees, BSH took significant action, with the assistance of its partners, to protect our clients and employees, and to contain and remediate the security issue.

A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010. The hackers made off with W-2 data, so tax refunds and returns could be impacted, but these stolen identities are being bought and used by other cyber mafias for increasingly targeted phishing attacks. U.S. Bank’s Ripley acknowledged that the bank published the link and company code to an employee resource online, but said the institution never considered that the data itself was privileged.

It says 47 staff accounts were compromised and used to steal 3.8 million documents, including 500,000 that contained personal information on 186,000 customers. The ADP hackers used a process called “Flowjacking”, which allowed them to access ADP’s internal processes. These protocols require something you know, like a password, and something you have, such as a code sent to your phone, biometrics (fingerprint, eye scan, etc.), or a physical token.

Security issue could impact ADP customers

According to BuzzFeed News, sellers on two dark web stores are hawking information from 278,531 InstaCart accounts. South African branch of consumer credit reporting agency Experian discloses data breach. It says it gave personal details of South African customers to a fraudster posing as a client.

To register to the portal, a cybercriminal with malicious intent needs personal identifiable information like names, dates of birth, and Social Security numbers. Such data, according to the ADP, were not harvested from its systems, but must have already been in the hands of the crooks. The letter warned that the stolen tax and salary data may have been used to file a fraudulent income tax return under the employee’s name. Bank explained fraudsters created unauthorized accounts for employees who had not yet registered on ADP’s portal using confidential personal information from other sources. ADP stressed that fraudsters also needed to have the victim’s name, date of birth and Social Security number in order to create the account, which did not come from its systems. “Once the fraudulent registration was established, they were able to view or download your W-2,” said Carlson.

Predicting and Prioritizing Cyber Attacks Using Threat Intelligence

The spokesperson went on to say that there was no impact to its systems, infrastructure or data within the ADP environment – the attack only affected BSH – and the incident is now resolved, to the best of its knowledge. For more specific help and instructions related to ADP’s data breach, please contact ADP Customer Service directly. Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients.

Hackers had used similar tactics previously to break into the IRS’s Get Transcript application. If you haven’t been notified yet of the hack, then your password hasn’t been compromised. For example, if you use the same password on all of your online accounts, and a phishing scam like this stole your password, then all of your accounts would be in jeopardy. Drizly, an online alcohol delivery startup, informs its customers their personal information is at risk after a hacker obtained their data during a data breach.

ADP emphasized that the fraudsters needed to have the victim’s personal data — including name, date of birth and Social Security number — to successfully create an account in someone’s name. ADP also stressed that this personal data did not come from its systems, and that thieves appeared to already possess that data when they created the unauthorized accounts at ADP’s portal. US Bank’s Ripley then admitted that the bank made the company code accessible by publishing the link to an employee resource online. In January 2020, the Meadville Medical Center in Pennsylvania had a security breach with their payroll system which resulted in unauthorized exposure of employee personal data and their dependents’ personal information.

In those cases, the fraudsters also already had the victim’s SSN, DoB and other personal data. ADP’s portal, like so many other authentication systems, relies entirely on static data that is available on just about every American for less than $4 in the cybercrime underground (SSN/DOB, address, etc). It’s true that companies should know better than to publish such a crucial link online along with the company’s ADP code, but then again these are pretty weak authenticators.