The Chesapeake Bay Maritime Museum has notified 5,181 people of an August 2024 data breach, according to new figures disclosed by Maine’s attorney general.
The breach compromised victims’ names, Social Security numbers, and financial account info.
A ransomware group called “Helldown” took credit for the breach shortly after it occurred. To prove its claim, Helldown posted images of what it says are documents stolen from the museum. The proof pack includes invoices, receipts, a certification, an authorization form, contracts, and inspection reports.
The Chesapeake Bay Maritime Museum has not verified Helldown’s claim. We do not know if the museum paid a ransom, how much Helldown demanded, how attackers breached the museum’s network, or why it took more than a year for the museum to notify victims. Comparitech contacted the museum for comment and will update this article if it replies.
“On August 9, 2024, CBMM became aware of suspicious activity in its environment,” says the museum’s notice to victims. “CBMM’s investigation determined that an unauthorized actor gained access to certain CBMM systems between August 8, 2024 and August 9, 2024, and copied certain files stored on those systems during that period.”
Chesapeake Bay Maritime Museum is offering eligible victims 12 months of free credit monitoring through IDX.
Who is Helldown?
Helldown is a little-known ransomware group whose malware both locks down computer systems and steals data. It then demands ransom for a key to unlock infected systems and destroy the stolen data.
Helldown first started listing targets on its data leak site in August 2024, when it supposedly hacked the CBMM. After three months, it had claimed responsibility for 33 breaches. Comparitech researchers confirmed six of these.
In addition to CBMM, Helldown said it hacked the following organizations:
- Schlatter Group (Switzerland)
- Hug-Witschi AG (Switzerland)
- Klinik am Kurpark (Germany)
- Haus des Stiftens (Germany)
- Cincinnati Pain Physicians (USA)
Schlatter group reported its systems were down for 10 days due to the attack. Cincinnati Pain Physicians said Helldown’s attack cost the clinic six figures.
The group hasn’t listed any new targets since November 2024.
Ransomware attacks in the USA
Comparitech researchers logged 884 confirmed ransomware attacks in the US in 2024, and 543 in 2025. Confirmed attacks make up roughly one in five of the total number of attack claims made by ransomware groups on their data leak sites.
Other recently-confirmed attacks include:
- Pulse Urgent Care Center reported a March 2025 data breach, for which Medusa demanded $120,000
- Soapy Joe’s Car Wash reported an October 2025 data breach claimed by Akira
- Cabinets 200 reported an October 2025 data breach claimed by Blackshrantac
- First Federal Savings & Loan Association of Pascagoula Moss Point reported a February 2025 data breach claimed by Play
- Gregory A Burrell Chapter 13 Trustee reported an October 2025 data breach claimed by Akira
- Medical Center, LLP reported an October 2025 data breach claimed by PEAR
- Smith Fire Systems notified 785 people of an October 2025 data breach claimed by Anubis
Ransomware attacks can both steal data and lock down computer systems. They can disrupt any number of computer-based systems including communications, access to stored data, accounting, and more. Organizations that refuse to pay ransoms can face extended downtime, permanent data loss, and putting data subjects at increased risk of fraud.
About Chesapeake Bay Maritime Museum
The Chesapeake Bay Maritime Museum consists of an 18-acre campus in St. Michaels, Maryland, including a fleet of aquatic vessels. It welcomes nearly 100,000 guests annually, according to its website.
