The ransomware group Rhysida, which has at least eight confirmed attacks this year, said it breached the Maryland Department of Transportation in late August. The group claimed to have stolen Social Security numbers, driver’s license details, passport information and other sensitive records. It demanded 30 Bitcoin — worth about $3.3 million at the time — in exchange for not selling the data.
Nathan Miller, communications director for the Maryland Department of Information Technology, said the state has not paid the ransom.
The Maryland Transit Administration has also confirmed that data was lost, but it has not specified what categories of information were taken. MDOT has more than 11,000 employees statewide.
HOW IS THE STATE FOLLOWING UP?
Asked about how the state is following up on the latest attack, Miller said, “The Maryland Department of Transportation and Maryland Transit Administration are working closely with state, federal and third-party cybersecurity entities to bolster the cyber resilience of essential state systems.”
“When risks are identified, they take immediate action to address them and strengthen our defenses. Working in partnership with state and federal cybersecurity agencies, they remain fully committed to protecting the systems our employees rely on and the public depends upon,” he said.
Miller added that cybersecurity incidents are a growing concern nationwide.
“While not all incidents make headlines, they are a daily reality — and a reminder of the critical importance of cybersecurity in today’s digital world,” he said. “We are constantly working in partnership with state and federal cybersecurity agencies and third-party partners to further strengthen and harden the systems our employees rely on and the public depends upon.”
He declined to comment on how secure the current systems are.
“The investigation is ongoing, and due to sensitivity, we will not disclose investigatory methods and actions taken to secure state systems,” Miller said.
He also declined to comment on changes to the systems.
“Due to the sensitive and ongoing nature of the investigation, we are unable to disclose specific information at this time,” Miller said. “We are collaborating with state and federal cybersecurity agencies, as well as third-party partners, to strengthen and enhance the cyber resiliency of the systems that our employees and the public rely upon.”
QUESTIONS RAISED
The breach has raised questions about whether Maryland has adequately secured its digital infrastructure as ransomware groups increasingly target state and local governments.
Rhysida has emerged as one of the more aggressive ransomware outfits of 2025, posting samples of stolen documents online to pressure victims to pay. The U.S. Cybersecurity and Infrastructure Security Agency has warned states to assume stolen data will be weaponized, even if ransoms are paid.
The state said that if investigators determine residents’ information was compromised, those affected will be notified and given guidance on next steps.
MTA said its core services — including Local Bus, Metro Subway, Light Rail, MARC Train, Commuter Bus and Mobility Call-A-Ride — are operating normally. Still, “Some MTA service operations and information systems, including real-time information and call centers, may experience impacts,” the group said in a statement.
The Maryland Transit Administration, one of the nation’s largest multi-modal systems, added that: “Our goal is to provide safe, efficient, and reliable transit across Maryland with world-class customer service.”
©2025 Baltimore Sun, Distributed by Tribune Content Agency, LLC.
