Charlotte, NC – July 17, 2025 — The U.S. retail chain Belk, Inc. confirmed it was the victim of a ransomware attack in May 2025 that led to the theft of sensitive corporate and personal data. The cybercriminal group DragonForce has claimed responsibility for the incident, asserting it exfiltrated 156 gigabytes of data from the company during a four-day breach.
Belk, a department store chain headquartered in Charlotte, North Carolina, disclosed in a letter to the New Hampshire Attorney General that an unauthorized party accessed its corporate systems between May 7 and May 11. The company stated it discovered the intrusion on May 8 and responded swiftly with the assistance of third-party cybersecurity experts.
The attack reportedly compromised internal corporate documents, including files containing names and Social Security numbers. As of June 5, Belk confirmed that at least one New Hampshire resident had personal data accessed during the breach. Impacted individuals are being offered 12 months of complimentary credit monitoring and identity restoration services through Epiq – Privacy Solutions.
“Belk promptly responded to contain and investigate the incident,” the company stated in its breach notification letter. “Remediation efforts included restricting network access, blocking known indicators of compromise, resetting passwords, rebuilding affected servers, and deploying additional monitoring tools.”
Dr. Tom Confirms Data Exposure
Dr. Tom downloaded a portion of the stolen data made publicly available on DragonForce’s leak site. After reviewing the files, he verified that the information is authentic. His findings lend independent confirmation that the breach impacted actual customer data and that the claims made by the attackers were not fabricated.
DragonForce’s Tactics and Activity
The ransomware group DragonForce listed Belk on its Tor-based leak site this week, releasing the stolen data after what appears to be a failed ransom negotiation. DragonForce has been active since late 2023 and is known for targeting retail companies, including Marks & Spencer, Co-op, and Harrods in the U.K., as well as other high-profile entities in the U.S.
DragonForce operates as a Ransomware-as-a-Service operation, allowing affiliates to carry out attacks using the group’s tools. This structure complicates efforts to link specific breaches directly to one perpetrator.
As of mid-July, Belk’s website remains offline.
Belk operates approximately 300 stores in 16 Southeastern states under the Belk and Belk Outlet names. Founded in 1888, the company has grown into a major regional retailer offering apparel, home goods, and cosmetics.
Law enforcement has been notified, and Belk is continuing to investigate the breach.
Sources:
-
Belk data breach notification to the New Hampshire Attorney General, June 5, 2025
- DragonForce TOR Site
Feeling lost in the digital world? Dr. Tom is here to help!
Join Dr. Tom every week in his column, Dr. Tom’s Cyber Bits and Tips, for byte-sized advice on all things cyber and tech. Whether you’re concerned about online safety, curious about the latest cybercrime trends, or simply want to navigate the ever-evolving digital landscape, Dr. Tom has you covered.
From practical cybersecurity tips to insightful breakdowns of current threats, Dr. Tom’s column empowers you to stay informed and protect yourself online. So, dive in and get savvy with the web – with Dr. Tom as your guide!
Sign up for our Sunday Spectator. Delivered to your inbox every Sunday, with all the news from the week.
