Maryland Transit Administration (MTA)

The Maryland Transit Administration (MTA), a division of the Maryland Department of Transportation, suffered a ransomware attack in late August 2025 attributed to the Rhysida gang. The attack disrupted critical services, including real-time bus tracking (still down at the time of reporting) and bookings for the paratransit system (MobilityLink), which serves vulnerable populations. Rhysida claimed to have exfiltrated sensitive data, posting samples such as Social Security cards, driver’s licenses, passports, and other personal documents as proof. The gang demanded 30 bitcoin (~$3.4 million) within seven days for data deletion and system restoration. The MTA confirmed data loss but declined to specify the extent or number of affected individuals, citing an ongoing investigation. If personal data was compromised, the state pledged to notify victims per legal requirements. The attack caused operational disruptions, financial risks (potential fraud for affected individuals), and reputational damage. Rhysida, a ransomware-as-a-service (RaaS) group, has a history of targeting high-profile entities, including hospitals and government agencies, with demands averaging $1.1 million. The MTA incident marks one of 59 confirmed US government ransomware attacks in 2025, highlighting systemic vulnerabilities in public transit cybersecurity.

Source: https://www.comparitech.com/news/ransomware-gang-says-it-hacked-the-maryland-transportation-department/

TPRM report: https://www.rankiteo.com/company/mtamaryland

"id": "mta0933009092525",
"linkid": "mtamaryland",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'transportation',
                        'location': 'Maryland, USA',
                        'name': 'Maryland Transit Administration (MTA)',
                        'type': 'government agency'}],
 'customer_advisories': 'State will notify affected individuals if PII is '
                        'confirmed compromised, per state law.',
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'file_types_exposed': ['image scans (PNG/JPEG)', 'documents'],
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'high (includes SSN, driver’s license, '
                                        'passport scans)',
                 'type_of_data_compromised': ['personally identifiable '
                                              'information (PII)',
                                              'government documents']},
 'date_detected': '2025-08-24',
 'date_publicly_disclosed': '2025-08-24',
 'description': 'The Maryland Transit Administration (MTA), a division of the '
                'Maryland Department of Transportation (MDOT), suffered a '
                'ransomware attack in late August 2025. The attack disrupted '
                'bookings for the MTA’s paratransit service (MobilityLink) and '
                'caused data loss. Real-time bus tracking remains out of '
                'service for some buses as of the report. The Rhysida '
                'ransomware gang claimed responsibility, demanding a ransom of '
                '30 bitcoin (~$3.4 million) and leaking samples of stolen '
                'data, including scans of a Social Security card, driver’s '
                'license, passport, and other sensitive documents. MDOT has '
                'not verified the extent of the breach or whether a ransom '
                'will be paid.',
 'impact': {'brand_reputation_impact': 'potential damage due to data leak and '
                                       'service disruption',
            'data_compromised': True,
            'downtime': True,
            'identity_theft_risk': 'high (PII exposed, including SSN, driver’s '
                                   'license, passport)',
            'operational_impact': 'disrupted bookings, service outages',
            'systems_affected': ['paratransit service (MobilityLink)',
                                 'real-time bus tracking (partial outage)']},
 'investigation_status': 'ongoing',
 'motivation': 'financial gain',
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransom_demanded': '30 bitcoin (~$3.4 million USD)',
                'ransomware_strain': 'Rhysida'},
 'references': [{'source': 'Comparitech'},
                {'date_accessed': '2025-08-24',
                 'source': 'Maryland Department of Transportation (MDOT) '
                           'statement'},
                {'source': 'Rhysida ransomware group leak site'}],
 'regulatory_compliance': {'regulatory_notifications': 'State law compliance '
                                                       'for PII breach '
                                                       'notifications (if '
                                                       'confirmed)'},
 'response': {'communication_strategy': 'limited disclosure due to ongoing '
                                        'investigation; affected individuals '
                                        'to be notified if PII confirmed '
                                        'compromised',
              'incident_response_plan_activated': True},
 'stakeholder_advisories': 'Limited details due to investigation sensitivity; '
                           'notifications to affected individuals pending '
                           'confirmation of PII exposure.',
 'threat_actor': 'Rhysida',
 'title': 'Ransomware Attack on Maryland Transit Administration by Rhysida',
 'type': ['ransomware', 'data breach']}