Ransomware Attack on ADP Partner Exposes Broadcom Employee Data

Some of the biggest names include Apple, Samsung, Cisco, British Airways, and many others. However, in December 2024, the two firms discovered the stolen data on the internet. “We take these matters very seriously and have robust measures in place to address them,” the ADP spokesperson added. “As soon as we were made aware of the impact to our clients and their employees, we took significant action to protect them and help BSH contain and remediate their security issue.

ADP Vendor Risk Report

• However, in December 2024, the two firms discovered the stolen data on the internet.
• Using personal information gathered from other sources, hackers were able to round up data from about 724,000 compromised taxpayer accounts.
• Upon receiving reports regarding these vulnerabilities, ADP’s Global Security Organization began an investigation to determine any potential impacts to our system.
• The breaches occurred after modifications made to its mobile app exposed to the risk of unauthorized access the information of 21,541 GrabHitch drivers and passengers.

Payroll practitioners should be aware of the common types of scams that target payroll operations so they can help protect employers and employees from data breaches, a data security specialist said June 2. Things like bank account numbers and social security numbers are stock and trade for legions of hackers. This is data with good, reliable resale value, and they can always find a ready market for it. Rather, the workflow itself was breached, and the hackers took advantage of the fact that some companies weren’t as careful as they should have been with their activation codes.

ADP Data Breaches, Cybersecurity Incidents and News

Broadcom urged affected individuals to “enable multi-factor authentication and any other enhanced security settings offered by your financial institutions,” as well as monitoring financial records for unauthorized or unexpected activity. Some client companies were not careful enough with these codes and posted them publicly on their websites. Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection. Identity theft is a crime in which an imposter obtains key pieces of personal information, such as a Aadhaar ID or driver’s license number, to impersonate someone else. The information can be used to obtain credit, merchandise, and services in the name of the victim, or to provide the thief with false credentials. If you suspect fraudulent activity on your account, contact your assigned ADP client service team for assistance.

Phishing or suspicious messages

• It’s truly a measure of the challenges ahead in improving online authentication that so many organizations are still looking backwards to obsolete and insecure approaches.
• The breach stems from a supply chain compromise that ultimately led to sensitive employee information appearing on the dark web.
• It’s true that companies should know better than to publish such a crucial link online along with the company’s ADP code, but then again these are pretty weak authenticators.
• Unfortunately, some companies are not careful with their activation codes, and wind up placing them on their website for employees to use, where these codes can easily be scraped by alert hackers.
• It says 47 staff accounts were compromised and used to steal 3.8 million documents, including 500,000 that contained personal information on 186,000 customers.

ADP confirmed this activity, saying that it hit “a very small subset” of its customers. The company stressed that hackers need more than just tax data to actually open an account in another person’s name and said the data was not extracted from its systems. This leak caught national attention yesterday when Krebs’ report came out because of ADP’s widespread reach into the payroll and administrative sectors as the company handles those aspects for more than 640,000 companies. Bank, which recently discovered that some of its employees had tax data compromised.

Broadcom hit by employee data theft after breach in supply chain

In response to this breach, Broadcom has urged its clients to enable multi-factor authentication (MFA) along with any additional security measures provided by their financial institutions. The company has also advised users to keep a close eye on their financial records for any irregularities. ADP’s Global Security Organization continues to actively monitor and respond to this developing situation as it does with all reported vulnerabilities. Clients are encouraged to visit ADP’s website at /trust to see Security Alerts to learn more about how ADP protects data, and how clients can help protect themselves. Upon receiving reports regarding these vulnerabilities, ADP’s Global Security Organization began an investigation to determine any potential impacts to our system. At this time, we can confirm that ADP does not currently utilize the MOVEit Transfer software, and no ADP systems or client data was impacted.

Adp Clients Face Potential Tax Fraud After Recent Breach

In February 2020 more than 69,000 Canadian federal employees became victims of a privacy breach after their personal information was emailed to the wrong people. In April 2019, nearly $500,000 was diverted from the City of Tallahassee’s payroll after a cyberattack that resulted in employees realizing they were not paid their monthly salaries. The hackers managed to infiltrate the state’s payroll provider and redirect employee payments to a foreign bank account. The Register, a tech news outlet that broke the story, reported that the stolen data includes a range of sensitive personal information.

To register to the portal, a cybercriminal with malicious intent needs personal identifiable information like names, dates of birth, and Social Security numbers. Such data, according to the ADP, were not harvested from its systems, but must have already been in the hands of the crooks. The letter warned that the stolen tax and salary data may have been used to file a fraudulent income tax return under the employee’s name. Bank explained fraudsters created unauthorized accounts for employees who had not yet registered on ADP’s portal using confidential personal information from other sources. ADP stressed that fraudsters also needed to have the victim’s name, date of birth and Social Security number in order to create the account, which did not come from its systems. “Once the fraudulent registration was established, they were able to view or download your W-2,” said Carlson.

I don’t know if the message is a legitimate email or a phishing attempt. Can ADP help confirm its validity?

In addition, a dedicated global team monitors round-the-clock using additional comprehensive controls, including data analytics, to detect, investigate and respond to anomalies and incidents. This team addresses any reported or detected issues by following a defined incident lifecycle. This lifecycle is governed by policies and procedures, and uses an incident management system to record facts, impact and remedial actions taken. Armed with a stolen social security number and a code grabbed from some public domain source, hackers can inject themselves into ADP’s normal process, and make off with thousands, and perhaps even millions of people’s personal information. HR giant ADP, which provides payroll, tax and benefits administration for more than 640,000 companies, was hit hard by identity thieves this week. The perps made off with tax and salary data, according to a report from Brian Krebs—although the actual number of people affected has yet to be revealed.

Partnering with ADP gives you advanced platform defense, intelligent detection, automated data protection, physical security, fraud defense, business resiliency, identity and access management—and much more. We embed multiple layers of protection into our products, processes, and infrastructure, to be sure that security remains at the forefront. Bancorp (U.S. Bank) — the nation’s fifth-largest commercial bank — warned some of its employees that their W-2 data had been stolen thanks to a weakness in ADP’s customer portal. Infostealer data supplied to Ransomware Live by security shop adp security breach Hudson Rock also indicates five employees had their accounts compromised.

Experts have identified the importance of keeping the security of IT supply chains and contractors intact as these represent potential weak points in the security of any organization. The problem, Cloutier said, seems to stem from ADP customers that both deferred that signup process for some or all of their employees and at the same time inadvertently published online the link and the company code. As a result, for users who never registered, criminals were able to register as them with fairly basic personal info, and access W-2 data on those individuals. Patterson, N.J.-based ADP provides payroll, tax and benefits administration for more than 640,000 companies.

In those cases, the fraudsters also already had the victim’s SSN, DoB and other personal data. ADP’s portal, like so many other authentication systems, relies entirely on static data that is available on just about every American for less than $4 in the cybercrime underground (SSN/DOB, address, etc). It’s true that companies should know better than to publish such a crucial link online along with the company’s ADP code, but then again these are pretty weak authenticators.

According to open source tracker Ransomware Live, the El Dorado ransomware group claimed responsibility for the attack in November. Transform how you manage cyber risk with the CRPM platform that unifies risk across your entire organization. Adam Levin, chairman and founder of IDT911, told Infosecurity that while ADP isn’t saying much about who the victims are, the overall number of people affected is likely to be significant. Welcome to Daily Security Review, the premier source for news and information on security threats, Ransomware and vulnerabilities. Norton Rose Fulbright is currently helping multiple companies investigate and respond to these types of incidents.