How the Broadcom Supply Chain Ransomware Breach Highlights Third-Party Cyber Risk — And How MSPs Can Help
In May 2025, Broadcom disclosed that a supply chain ransomware attack on one of its extended payroll partners led to the theft and public posting of sensitive employee data. Although the intrusion first occurred in late 2024, Broadcom did not receive a clear assessment of impacted records until mid-May 2025—pointing to a dangerous blind spot many organisations face when they rely on third-party services for critical operations.
This breach wasn’t the result of a flaw in Broadcom’s own network, but rather a trust-but-verify failure in third-party risk management. The adversary exploited weaker security controls at Business Systems House (BSH), a partner of payroll services provider ADP, thereby compromising data stored or processed outside Broadcom’s direct control. The incident underscores a growing trend: cybercriminals are increasingly targeting supply chains, vendors, and service providers to reach larger organisations indirectly.
What This Means for Organisations
Supply chain attacks are particularly insidious because they exploit trust between companies. Even if an organisation’s internal security posture is strong, the weakest link in its vendor ecosystem can unravel months of defensive work. The Broadcom incident exposed personal data that could be used for identity theft, fraud, or future phishing campaigns, and the delayed visibility meant that employees were left unaware of their risk profile for an extended period.
Practical Prevention Measures
1. Strengthen Third-Party Risk Management
Organisations must inventory all vendors and assess their security controls before onboarding and continuously throughout the relationship. Formal security questionnaires, contractual security requirements, and annual audits help ensure that vendors maintain robust defenses.
2. Enforce Strong Data Access Policies
Minimise the amount and type of data shared externally. Limit access to only what is necessary for operational tasks, and apply encryption both at rest and in transit.
3. Real-Time Monitoring and Threat Detection
Whether the asset is internal or external, real-time logging and detection tools (SIEM, XDR) can surface suspicious behaviour early—potentially limiting exposure before data exfiltration occurs.
4. Robust Incident Response Planning
Responding to a breach requires rapid action. A structured incident response (IR) framework with clear roles, communication pathways, and playbooks reduces confusion and downtime when an event occurs.
How Managed Service Providers (MSPs) Like Modena360 Can Help
An experienced MSP can add immense value across these areas:
- Vendor Security Assessments: MSPs can assess the cybersecurity posture of vendors and partners, helping organisations identify gaps before they’re exploited.
- Continuous Monitoring & Alerts: With 24/7 monitoring and alerting, MSPs spot abnormal activity sooner—reducing the “dwell time” attackers enjoy in a network.
- Patch and Configuration Management: MSPs help ensure all systems, including those used by remote and third-party services, receive timely updates and secure configurations.
- Incident Response Coordination: In the event of a supply chain breach, MSPs act as extensions of your team—coordinating containment, remediation, and communication efforts.
Conclusion
The Broadcom breach demonstrates a hard truth: cyber threats no longer respect organisational boundaries. Attackers often target external partners with weaker defenses as a pathway into larger ecosystems. The solution isn’t just better firewalls—it’s holistic security governance across the entire technology and partner landscape.
An MSP like Modena360 can help businesses proactively manage vendor risk, monitor threats 24/7, and mount a rapid, coordinated response when incidents occur.
Want to strengthen your third-party risk management and incident response posture? Contact Modena360 today to learn how our security-first MSP services can protect your business against supply chain and ransomware threats.
