Belk Cyberattack: DragonForce Ransomware Group Strikes US Retailer, Steals 150GB of Data

TL;DR

In May 2025, the notorious ransomware group DragonForce targeted the U.S. retailer Belk, stealing 150GB of sensitive data. The cyberattack compromised personal information, including names and Social Security numbers, leading to significant data breaches and operational disruptions.

Belk Cyberattack: Overview

In a significant cybersecurity incident, the ransomware group DragonForce claimed responsibility for a May 2025 attack on Belk, a major U.S. department store chain. The attack resulted in the theft of 156 gigabytes of data, causing substantial disruptions to the company’s operations.

About Belk

Belk, Inc. is a prominent American department store chain established in 1888 in Monroe, North Carolina. With its headquarters in Charlotte, Belk operates around 300 locations across 16 states, offering a wide range of products including apparel, footwear, home furnishings, jewelry, and beauty items.

Details of the Cyberattack

Between May 7 and 11, 2025, Belk experienced a cyberattack where an unauthorized party accessed its corporate systems and stole internal documents. The company’s data breach notification shared with the New Hampshire Attorney General’s Office revealed:

“Belk was the victim of a cyber incident in which an unauthorized third party gained access to certain corporate systems and data between May 7-11, 2025.”

Upon discovering the incident on May 8, 2025, Belk collaborated with third-party cybersecurity experts to determine the source and scope of the unauthorized access. The investigation concluded that the third party obtained certain internal documents related to Belk¹.

Belk’s Response and Remediation

Belk responded promptly to the cyberattack by:

• Restricting network access
• Blocking known indicators of compromise
• Completing a password reset
• Rebuilding affected servers and endpoints
• Deploying additional security tools for enhanced monitoring capabilities and endpoint protection

The company also notified law enforcement and offered affected individuals 12 months of free credit monitoring and identity restoration services.

Impact and Aftermath

The stolen data included files containing personal information, such as names and Social Security numbers. Belk’s website remains unavailable as of the latest update.

DragonForce added Belk to their Tor leak site this week, making the stolen data available for download. This action suggests that negotiations between Belk and the ransomware group may have failed.

About DragonForce

The DragonForce ransomware group has been active since at least December 2023. Known for targeting high-profile retailers like Marks & Spencer, Co-op, and Harrods, DragonForce scrambles victims’ data and demands ransom. The group operates through a cybercrime affiliate service, allowing affiliates to use its tools to launch attacks and extort victims. They manage both Telegram and Discord channels, and cybersecurity experts believe the group is composed of English-speaking teenagers.

References

For further insights, check:

• DragonForce Ransomware Group
• Belk
• Marks & Spencer Cyber Incident
• Co-op Cyberattack
• Harrods Cyberattack

For more details, visit the full article: source

1. “Data Breach Notification” (2025). Belk Data Breach Notification. New Hampshire Attorney General’s Office. Retrieved 2025-07-15. ↩︎