The Rhysida ransomware gang claimed responsibility for a late-August data breach at the Maryland Transit Administration. Exposed data includes names, surnames, dates of birth, driver’s licenses, SSNs, passports, and confidential information.
The group is said to have demanded a ransom of 30 bitcoin, around US$3.4 million at the time of writing, to be paid within seven days. To support its claim, Rhysida posted images of documents allegedly stolen from the MTA, including scans of a Social Security card, driver’s license, passport, and several other records.
Comparitech identified that to prove its claim, Rhysida posted images of what it says are documents stolen from the MTA. They include scans of a Social Security card, driver’s license, passport, and several other documents.
The Maryland Transit Administration is a division of the state’s Department of Transportation. It operates buses, light rail, subways, commuter trains, taxis, and a paratransit system. The MTA specifically mentioned the paratransit system, MobilityLink, being disrupted by the cyber attack.
“MDOT has not verified Rhysida’s claim,” Paul Bischoff, tech writer, privacy advocate, and VPN expert at Comparitech, wrote in a Wednesday post. “We do not know what data was compromised, how many people are affected, if MDOT did or will pay a ransom, or how attackers breached the MTA’s systems.”
“The Maryland Transit Administration can confirm incident-related data loss at this point in our investigation,” an MTA spokesperson told Comparitech in a statement. “At this time, we are unable to disclose specific or additional details regarding what data has been lost because of the sensitivity of the ongoing investigation. If it is found that personal information has been taken, the affected individuals will be notified by the State in accordance with State law, and we will take appropriate actions and provide guidance on recommended actions.”
Bischoff noted that Rhysida’s demand of nearly $3.4 million in bitcoin from the MTA is the group’s second largest, following a $5.8 million demand from an attack on the Seattle-Tacoma International Airport. Rhysida also demanded $3.4 million in ransom from Ann & Robert H Lurie Children’s Hospital of Chicago in January 2024. Neither of those ransoms was paid.
In 2025 to date, Rhysida has claimed eight confirmed ransomware attacks and made another 45 unconfirmed attack claims. In another of the group’s attacks on government agencies, Rhysida demanded $2.6 million following its attack on the Oregon Department of Environmental Quality.
Rhysida has taken credit for 91 confirmed attacks since it began listing targets on its data leak site, compromising 5.5 million records. Its average ransom demand is $1.1 million.
About a month back, Maryland’s Department of Transportation announced that a cybersecurity incident had disrupted bookings for the Maryland Transit Administration’s paratransit service. The department later confirmed that Maryland Transit Administration systems had been accessed without authorization, resulting in data loss. As of now, real-time bus tracking remains unavailable for some routes.
Earlier this week, the agency confirmed that the investigation has, at this point, confirmed incident-related data loss.
The Maryland Department of Information Technology is advising MTA system users and MDOT State employees to take several steps to help mitigate possible impacts from the cybersecurity incident. Users are urged to stay alert for phishing attempts, which often come in the form of deceptive emails, texts, or websites designed to trick people into revealing sensitive information such as passwords, financial details, or personal data. These messages may mimic legitimate organizations and ask for personal information or prompt the user to click on suspicious links. Individuals should avoid entering personal data or clicking unknown links, and always verify the sender’s email address before taking action.
Employees and users are also advised to update their passwords, using unique and complex combinations for both personal and work accounts. A password manager can make it easier to manage strong passwords across multiple accounts. Enabling multi-factor authentication is another important safeguard, adding an extra layer of verification that significantly reduces the risk of unauthorized access. Finally, regularly updating software on all devices ensures they have the latest security patches and protections, reducing the likelihood of exploitation through known vulnerabilities.
Comparitech researchers have logged 59 confirmed ransomware attacks against US government entities in 2025 to date, compromising more than 386,000 records. The average ransom demand is $1.6 million.
“In August alone, we recorded 12 such attacks. They include a data breach at Spartanburg County, SC, for which ransomware group Qilin took credit,” the post added. “In addition to data theft, ransomware attacks on US government entities can disrupt computer access to essential services, payments, communications, and stored files. Officials must then either pay a ransom or face extended downtime, data loss, and putting constituents at increased risk of fraud.”
While Maryland DoT has confirmed a data breach, Rebecca Moody, head of data research at Comparitech, wrote in an emailed statement that “we don’t yet know the extent of this breach or the type of data involved. However, Rhysida’s demand of $3.4 million is the second-largest ransom demand we’ve seen from this group, meaning it’s likely they’ve accessed some highly sensitive data. The last time we saw a ransom demand of this value was when Rhysida targeted Lurie Children’s Hospital. In this case, 792,000 people were impacted.”
“The largest-ever ransom demand ($5.8 million) from Rhysida also came when it had targeted the Port of Seattle,” according to Moody. “This led to the breach of 90,000 records. Rhysida’s proof pack for Maryland DoT also includes screenshots of a passport, driver’s license, Social Security number, a live scan application form, and financial documents.”
She added that “While we await further information from Maryland DoT, we highly recommend that citizens and employees of the state remain on high alert for potential phishing attacks and monitor their accounts for any unauthorized activity.”
