Hackers Target Maryland Department of Transportation, Auction Data for $3.4M in Bitcoin

The Maryland Department of Transportation (MDOT) is facing a serious cybersecurity incident after the Rhysida ransomware group gained unauthorized access to its systems. The attackers are reportedly auctioning the stolen data on the dark web for 30 Bitcoins, valued at roughly $3.4 million.

The breach could affect multiple MDOT divisions, including aviation, highways, motor vehicles, ports, and transit operations. The department also manages the Maryland Transportation Authority and the Washington Metropolitan Area Transit Authority.

Rhysida claims to have obtained sensitive internal and personal data, including Social Security numbers, birth dates, and home addresses. The group has offered the stolen information to a single buyer and imposed a seven-day deadline for interested parties.

Maryland Officials Respond to the Breach

The Maryland Transit Administration (MTA), a division of MDOT, acknowledged the cyberattack but declined to provide detailed information. MTA spokesperson Veronica Battisti stated the agency cannot disclose specifics due to the sensitivity of the ongoing investigation.

MDOT’s Department of Information Technology is collaborating with law enforcement and cybersecurity firms to trace the attack and evaluate the full extent of the breach. While the ransomware disrupted several administrative systems, transportation services such as buses, subways, and light rail remained operational.

However, the incident affected real-time services connected to Mobility, a program that allows residents to order shared rides online. The outage temporarily limited some users’ access to these services.

Rhysida’s History and Previous Attacks

The Rhysida group is known for targeting schools and government entities. In August 2023, it carried out a ransomware attack on Prince George’s County Public Schools (PGCPS), one of the largest school districts in the Washington, D.C., suburbs. The attack caused widespread network outages, delaying operations just before the school year began.

PGCPS later confirmed that personal information of approximately 100,000 individuals may have been exposed. The data potentially included names, financial account information, and Social Security numbers.

This prior activity demonstrates Rhysida’s capability to infiltrate high-profile systems and leverage sensitive data for financial gain.

Pennsylvania Faces Similar Threats

Cybersecurity concerns have not been limited to Maryland. In early September, the Pennsylvania Office of the Attorney General reported a ransomware attack that encrypted files and communication systems. The cybercriminal group involved, known as Inc. Ransomware, caused temporary disruption in several legal and administrative functions.

Attorney General Dave Sunday noted that courts granted extensions for filings affected by the attack. While the office did not confirm if personal data was stolen, officials assured that any affected individuals would be notified after the investigation concludes.

Security researchers suspect the breach exploited vulnerabilities in Citrix NetScaler devices, specifically the CVE-2025-5777 flaw, also referred to as “Citrix Bleed 2.” This exploit allows attackers to bypass authentication protocols and access sensitive systems remotely. Kevin Beaumont, a cybersecurity analyst, indicated that at least two internet-facing NetScaler devices in Pennsylvania were vulnerable before being taken offline.

Broader Implications for State Agencies

These incidents highlight the increasing threat ransomware poses to state-level infrastructure. Government agencies, schools, and transportation authorities often manage vast amounts of sensitive personal information, making them attractive targets for cybercriminals.

Experts suggest that attackers are motivated not only by ransom payments but also by the potential resale of data on underground markets. In Maryland’s case, the auction of MDOT data on the dark web illustrates the growing trend of monetizing stolen government information.

Protecting Sensitive Systems

Cybersecurity specialists emphasize the importance of regular system audits, timely patching of vulnerabilities, and employee awareness training to prevent unauthorized access. For government entities, implementing multi-factor authentication, network segmentation, and encrypted data storage is critical.

Moreover, agencies must prepare robust incident response plans that include coordination with law enforcement and cybersecurity experts. Swift containment and transparency are essential to minimize operational disruption and protect public trust.

What Citizens Should Know

While transportation services in Maryland have largely continued, residents may experience limited functionality in certain digital platforms. Individuals whose personal data may have been exposed should monitor for suspicious activity, including unauthorized account access or phishing attempts.

Authorities have not disclosed the full scope of affected data, but the incident serves as a reminder of the importance of protecting sensitive information. Residents are encouraged to follow official updates from MDOT and state cybersecurity offices.

Conclusion

The MDOT ransomware incident underscores the ongoing cybersecurity challenges facing state agencies. With attackers like Rhysida auctioning stolen data for millions in cryptocurrency, the need for robust protective measures has never been greater.

The Pennsylvania attack illustrates that this is not an isolated issue but part of a broader pattern of ransomware threats targeting government systems. Agencies must strengthen defenses, ensure rapid response capabilities, and maintain transparency with the public to mitigate risks.

As technology continues to integrate with essential public services, safeguarding digital infrastructure is crucial to prevent disruptions, financial loss, and compromise of citizens’ personal information.