The Maryland Transit Administration (MTA) suffered a ransomware attack by the Rhysida gang, resulting in the theft of sensitive data, including passports, driver’s licenses, and contracts. While core transit services (buses, subways, light rail) remained operational, the attack disrupted real-time tracking systems and the Mobility service a specialized transit program for disabled individuals requiring an interim call system for recovery. The MTA confirmed data loss but refused to disclose specifics due to an ongoing investigation. The gang demanded 30 bitcoin (~$3.4M) with a 7-day deadline, releasing sample stolen data as proof. The incident follows a pattern of Rhysida targeting U.S. government entities, healthcare, and education sectors, with prior attacks on Maryland’s Prince George’s County Public Schools (exposing 100,000 records) and other state governments. Recovery efforts are underway, but some services (e.g., real-time bus tracking) remain impaired. Residents were advised to monitor for phishing, update passwords, and enable multi-factor authentication.
Source: https://therecord.media/maryland-transit-administration-data-breach-claimed-ransomware-gang
TPRM report: https://www.rankiteo.com/company/mtamaryland
"id": "mta3602136092525",
"linkid": "mtamaryland",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'transportation',
'location': 'Maryland, USA',
'name': 'Maryland Transit Administration (MTA)',
'type': 'government agency'},
{'industry': 'IT/cybersecurity',
'location': 'Maryland, USA',
'name': 'Maryland Department of Information Technology',
'type': 'government agency'}],
'customer_advisories': ['Watch for phishing attempts.',
'Change passwords associated with MTA services.',
'Enable multifactor authentication (MFA).',
'Update device software to latest versions.'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['PDF (passports, licenses)',
'contracts',
'other documents'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes passports, driver’s '
'licenses, contracts)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'government documents']},
'date_detected': '2024-07-01T00:00:00Z',
'date_publicly_disclosed': '2024-08-26T00:00:00Z',
'description': 'The Maryland Transit Administration (MTA) suffered a '
'ransomware attack in August 2024, leading to data theft and '
'disruption of specialized transit services (Mobility). The '
'Rhysida ransomware gang claimed responsibility, demanding a '
'ransom of 30 bitcoin (~$3.4 million). While core '
'transportation services (buses, subways, light rail) remained '
'operational, real-time tracking and Mobility services used by '
'disabled individuals were disrupted. The attack is part of a '
'broader trend targeting U.S. state governments, with Rhysida '
'previously linked to incidents in Seattle, Columbus, and '
'Prince George’s County Public Schools (Maryland).',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data breach and service disruptions, '
'particularly for vulnerable '
'populations (disabled individuals).',
'data_compromised': ['passports',
'driver’s licenses',
'contracts',
'other documents'],
'downtime': {'Mobility service': {'end': '2024-08-29T00:00:00Z',
'notes': 'Interim call system '
'restored on '
'2024-08-29; full '
'recovery timeline '
'unclear.',
'start': '2024-08-01T00:00:00Z'},
'real-time tracking': {'end': None,
'notes': 'Some buses still '
'lack real-time '
'tracking as of '
'disclosure.',
'start': '2024-08-01T00:00:00Z'}},
'identity_theft_risk': 'High (exfiltrated data includes passports, '
'driver’s licenses, and PII).',
'operational_impact': 'Disruption of Mobility service (specialized '
'transit for disabled individuals); partial '
'loss of real-time tracking for buses.',
'systems_affected': ['real-time information systems',
'Mobility service tools (specialized transit '
'for disabled individuals)',
'real-time bus tracking (partial)']},
'investigation_status': 'Ongoing (led by Maryland Department of Information '
'Technology with cybersecurity experts and law '
'enforcement)',
'motivation': ['financial gain', 'disruption'],
'ransomware': {'data_exfiltration': True,
'ransom_demanded': '30 bitcoin (~$3.4 million USD)',
'ransomware_strain': 'Rhysida'},
'recommendations': ['State residents advised to:',
'- Monitor for phishing emails.',
'- Change passwords for potentially affected accounts.',
'- Enable multifactor authentication (MFA).',
'- Update software on all devices.',
'Government agencies should:',
'- Enhance cybersecurity posture for critical '
'infrastructure (e.g., transit systems).',
'- Implement robust backup and recovery plans for '
'specialized services (e.g., Mobility).',
'- Improve transparency in breach disclosures where '
'possible.'],
'references': [{'date_accessed': '2024-08-29T00:00:00Z',
'source': 'Recorded Future News'},
{'date_accessed': '2024-08-28T00:00:00Z',
'source': 'VenariX (cybersecurity company)'}],
'response': {'communication_strategy': {'customer_advisories': ['Monitor for '
'phishing '
'emails',
'Change '
'passwords',
'Enable '
'multifactor '
'authentication',
'Update '
'device '
'software'],
'public_updates': True,
'transparency_limitations': 'Details '
'withheld '
'due to '
'ongoing '
'investigation '
'sensitivity.'},
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Interim call system for Mobility '
'service (restored 2024-08-29)'],
'third_party_assistance': ['cybersecurity experts (unspecified)',
'VenariX (cybersecurity company)']},
'stakeholder_advisories': 'Limited due to investigation sensitivity; general '
'cybersecurity hygiene guidance provided to public.',
'threat_actor': 'Rhysida ransomware gang',
'title': 'Maryland Transit Administration (MTA) Ransomware Attack by Rhysida '
'Gang',
'type': ['ransomware', 'data breach']}