Ransomware group DragonForce claims it attacked U.S. retailer Belk in May, stealing over 150GB of data in a disruptive cyberattack.
The infamous Ransomware group DragonForce claimed responsibility for the May disruptive attack on US department store chain Belk. The ransomware gang claimed it had stolen 156 gigabytes of data from Belk.
Belk, Inc. is a major American department store chain, founded in 1888 in Monroe, North Carolina, and currently headquartered in Charlotte. Operating around 300 locations across 16 states, Belk offers apparel, footwear, home furnishings, jewelry, beauty products, and more.
Belk suffered a cyberattack between May 7 and 11, 2025, where an unauthorized party accessed corporate systems and stole some internal documents.
“Specifically, Belk was the victim of a cyber incident in which an unauthorized third party gained access to certain corporate systems and data between May 7-11, 2025.” reads the data breach notification shared by the organization with the New Hampshire Attorney General’s Office. “After discovering the incident on May 8, 2025, Belk worked diligently with third-party cybersecurity experts to determine the source and scope of this unauthorized access. Belk concluded that the third party obtained certain internal documents related to Belk.”
The company is investigating the incident with the help of third-party cybersecurity experts and notified law enforcement. Belk responded to the cyberattack by restricting network access, blocking threats, resetting passwords, rebuilding systems, and enhancing security monitoring.
Threat actors stole certain internal documents, including files containing personal information. Names and Social Security numbers were compromised in the attack.
“Belk maintains a written information security program. With professional support from third-party cybersecurity experts, Belk promptly responded to contain and investigate the incident. Belk also alerted and cooperated with law enforcement.” continues the notification. “Belks’s containment and remediation actions included restricting network access, blocking known indicators of compromise, completing a password reset, rebuilding affected servers and endpoints, and deploying additional security tools to provide enhanced monitoring capabilities and endpoint protection.”
At this time, the Belks’s website is still unavailable.
Belk is offering affected individuals 12 months of free credit monitoring and identity restoration services.
This week, DragonForce ransomware gang added the company to Tor leak site. The stolen data are available for download, a circumstance that suggests a failed negotiation.
The DragonForce group has been active since at least December 2023, which recently made the headlines for the attacks on UK retailers like Marks & Spencer, Co-op, and Harrods.
DragonForce ransomware group scrambles victims’ data and demands a ransom; they are also known to steal victims’ data. DragonForce runs a cybercrime affiliate service, letting affiliates use its tools to launch attacks and extort victims. The group manages both Telegram and Discord channels, cybersecurity experts believe it is composed of English-speaking teenagers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, data breach)
