Rockrose Development confirmed over the weekend that it has notified 47,392 individuals about a data breach that occurred in July 2025. The incident exposed sensitive personal information belonging to both residents and employees.

According to the company, the compromised data includes names, Social Security numbers, taxpayer identification numbers, driver’s license and passport details, financial account and routing numbers, health insurance information, medical records, and online account credentials.

Soon after the breach, a ransomware group known as Play claimed responsibility. The group alleged it had accessed and stolen documents related to Rockrose’s clients, budgeting, payroll, accounting, and tax records, along with identification and financial information. Rockrose has not confirmed the authenticity of Play’s claims.

At this time, it remains unclear whether Rockrose paid a ransom, how much was demanded, or the specific method attackers used to gain access to the company’s systems. Comparitech has reached out to Rockrose for comment and stated it will update its reporting if a response is received.

“Rockrose determined that unauthorized individuals accessed Rockrose’s systems and claim to have acquired confidential information stored in certain of those systems,” the company stated in its notification to affected individuals.

To mitigate potential harm, Rockrose is offering eligible victims 24 months of complimentary identity protection services through Experian. Impacted individuals must enroll by March 31, 2026.

Play is a ransomware operation that has been active since June 2022, targeting organizations across sectors such as healthcare, finance, manufacturing, real estate, and education. The group uses a double-extortion strategy, demanding payment not only to decrypt compromised systems but also to prevent stolen data from being leaked or sold.

So far in 2025, Play has taken credit for 41 confirmed ransomware attacks, in addition to 339 unverified claims that have not been publicly acknowledged by the affected organizations.

Rockrose is not the only construction-related firm allegedly targeted by Play this year. Other organizations that have reported breaches attributed to the group include Rock Solid Stabilization & Reclamation, Gorham Sand & Gravel, Thomas Safran & Associates, and All States Materials Group.

Comparitech researchers report that, as of 2025, there have been 12 confirmed ransomware attacks against U.S. construction companies and real estate developers, impacting a total of 69,513 records. The Rockrose incident accounts for the majority of these exposed records and is the largest such attack recorded since tracking began in 2018.

Additional recent incidents include breaches at Abhe & Svoboda and Barr & Barr, both reportedly linked to the Akira ransomware group.

Ransomware attacks can severely disrupt construction and real estate firms by locking access to systems, stealing sensitive data, and interrupting critical operations such as payroll, billing, communications, and website functionality. Organizations often face the difficult choice of paying a ransom or enduring prolonged downtime and increased fraud risk for customers.

Established in 1970, Rockrose Development has acquired, developed, or repositioned approximately 15,000 residential apartments across New York and Washington, DC. The company also manages nearly 6 million square feet of office space, according to information published on its website.