The Maryland Department of Transportation (MDOT) suffered a ransomware attack in late August, orchestrated by the Rhysida group. The attackers claimed to have exfiltrated highly sensitive personal data of Maryland residents, including Social Security numbers, driver’s license details, home addresses, passport data, and legal documents. Rhysida demanded 30 Bitcoin (~$3.3 million) in exchange for not selling or leaking the stolen information. The agency confirmed data loss but refrained from disclosing specifics due to the ongoing investigation. Real-time bus tracking services were disrupted, and MDOT, alongside third-party cybersecurity experts, is working to restore systems while ensuring data integrity. The group publicly posted samples of the stolen data as proof, escalating pressure on the state. If verified, affected individuals will be notified per state law, with guidance on mitigative actions. The attack aligns with Rhysida’s broader 2025 campaign, which includes 8 confirmed ransomware incidents and 45 unconfirmed claims. MDOT issued cybersecurity advisories to employees and MTA users, emphasizing phishing awareness, password hygiene, multi-factor authentication, and software updates to prevent further breaches.
Source: https://www.govtech.com/security/maryland-cyber-attack-interrupts-bus-tracking-exposes-data
TPRM report: https://www.rankiteo.com/company/maryland-department-of-transportation
"id": "mar2202022093025",
"linkid": "maryland-department-of-transportation",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Maryland residents (exact '
'number undisclosed)',
'industry': 'Transportation',
'location': 'Maryland, USA',
'name': 'Maryland Department of Transportation (MDOT)',
'type': 'Government Agency'},
{'customers_affected': 'MTA system users (exact number '
'undisclosed)',
'industry': 'Public Transit',
'location': 'Maryland, USA',
'name': 'Maryland Transit Administration (MTA)',
'type': 'Subsidiary Agency'}],
'customer_advisories': 'Free cybersecurity resources recommended via CISA; '
'potential future notifications if PII confirmed '
'compromised',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes SSNs, passports, '
'driver’s licenses)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Legal Documents']},
'date_detected': 'Late August 2025',
'description': 'A ransomware group known as Rhysida claimed responsibility '
'for a late August 2025 cyberattack on the Maryland Department '
'of Transportation (MDOT), threatening to sell stolen personal '
'data unless a ransom of 30 Bitcoin (~$3.3 million) was paid. '
'The group allegedly stole sensitive data, including Social '
'Security numbers, driver’s license details, home addresses, '
'passport data, and legal documents of Maryland residents. '
'Real-time bus tracking services were disrupted, and MDOT is '
'working with third-party cyber experts to investigate and '
'restore affected systems.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data breach and service disruption',
'data_compromised': ['Social Security numbers',
'Driver’s license details',
'Home addresses',
'Passport data',
'Legal documents'],
'identity_theft_risk': 'High (due to exposure of PII)',
'operational_impact': 'Disruption of real-time bus tracking '
'services',
'systems_affected': ['Real-time bus tracking (partial outage)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened (data offered '
'for sale if ransom '
'unpaid)',
'high_value_targets': ['PII of Maryland residents']},
'investigation_status': 'Ongoing (cause and full scope of data loss under '
'investigation)',
'motivation': ['Financial Gain (Ransom)', 'Data Theft for Sale'],
'ransomware': {'data_exfiltration': True,
'ransom_demanded': '30 Bitcoin (~$3.3 million as of '
'disclosure)',
'ransomware_strain': 'Rhysida'},
'recommendations': ['Recognize phishing attempts (avoid clicking suspicious '
'links/sharing personal info)',
'Update passwords to long, complex credentials (personal '
'and work accounts)',
'Enable multi-factor authentication (MFA)',
'Keep software updated across all devices',
'Utilize free cybersecurity resources from CISA'],
'references': [{'source': 'The Daily Dark Web'},
{'source': 'Tribune News Service (TNS)'},
{'source': 'U.S. Cybersecurity and Infrastructure Security '
'Agency (CISA)'}],
'regulatory_compliance': {'regulatory_notifications': 'State law mandates '
'notification to '
'affected individuals '
'if PII confirmed '
'breached'},
'response': {'communication_strategy': ['Public advisory via media (The Daily '
'Dark Web, TNS)',
'Dedicated helpline for MTA users '
'(1-800-332-6347)',
'Internal IT support for MDOT '
'employees',
'Future notifications to affected '
'individuals if PII confirmed '
'compromised'],
'incident_response_plan_activated': True,
'recovery_measures': 'Restoring affected services (e.g., '
'real-time bus tracking)',
'remediation_measures': 'Investigation ongoing with third-party '
'cyber experts',
'third_party_assistance': True},
'stakeholder_advisories': ['MTA users advised to call 1-800-332-6347 for '
'questions',
'MDOT employees directed to contact IT '
'departments'],
'threat_actor': 'Rhysida',
'title': 'Rhysida Ransomware Attack on Maryland Department of Transportation '
'(MDOT)',
'type': ['Ransomware', 'Data Breach']}