Ransomware victim disclosure
← All victimsNottingham Construction
Claimed by Medusa · listed 1 year ago
Status timeline
- ListedMay 14, 2025
- Data leakeddate unknown
At a glance
- Group
- Medusa
- Status
- Data leaked
- Country
- United Kingdom
- Sector
- Construction
- Listed on leak site
- May 14, 2025
- Data size
- 252.50 GB
- Records
- 21 employees
About the victim
AI dossier — public-source company profileNottingham Construction is a general contractor established in 1989, incorporated in 1998, specializing in commercial carpentry, multi-family residential, senior living, and commercial/retail construction projects across the United States. The company operates from Pennsylvania with a corporate office in Warminster, PA, and maintains additional operations in Minnesota and Wisconsin.
- Industry
- General Contracting & Commercial Construction
- Address
- 375 Ivyland Road Unit 10, Warminster, PA 18974, USA
- Employees
- 21
- Founded
- 1989
Attack summary
Severity: high — Confirmed exfiltration and publication of 252.50 GB of data from a small business; likely includes client information, financial records, and operational data that could impact business relationships and employee privacy.Medusa claims to have exfiltrated 252.50 GB of data from Nottingham Construction. The group has published the data; no ransom demand is stated.
Data the group says was taken
AI dossier — extracted from the leak post- Corporate documents
- Project records
- Client information
- Financial records
- Employee data
- Operational files
What the group claims
Nottingham Construction was established in 1989 then Incorporated in 1998 performing commercial carpentry and becoming a General Contractor serving National Retail Companies from New York to Virginia. Nottingham Construction corporate office is located in 375 Ivyland Road Unit 10 Warminster, PA 18974, USA and has 21 employees. The total amount of data leakage is 252.50 GB
Sources
Source
Indexed 1 year agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

