Belk was impacted by a ransomware attack. (Image: Andrey_Popov)
A notorious ransomware organization known as “DragonForce” is reportedly taking public credit for a recent breach of Belk Inc.’s systems.
According to a note from U.K. security software company Comparitech, DragonForce announced on a data leak site it operates that it was behind a May 2025 cyberattack on Belk that exposed roughly 156 GB of the regional department store chain’s corporate data.
In a letter Belk sent to an unspecified number of affected customers, the retailer said it was hit by a a “cyber incident in which an unauthorized actor gained access to certain corporate systems and data,” including customer names and Social Security numbers, between May 7-11, 2025.
After discovering the incident May 8, 2025, Belk said it began working with external cybersecurity experts and law enforcement to determine the source and scope of the attack and took “immediate steps” to stop the cyberattack and secure its systems and data.
Belk also said in the letter it will pay for customers affected by the breach to enroll in a complimentary 12-month credit monitoring service provided by Epiq Privacy Solutions ID, which includes credit monitoring, dark web monitoring, identity restoration, and up to $1 million identity theft insurance.
The retailer’s containment and remediation actions included restricting network access, blocking known compromise indicators resetting passwords, rebuilding affected servers and endpoints, and deploying additional security tools.
Compaitech said in its note that it does not know if Belk paid a ransom, how much ransom DragonForce asked for, or how the group obtained access to the retailer’s systems. Comparitech has contacted Belk for comment.
According to Comparitech, DragonForce began publicly claiming responsibility for cyberattacks in December 2023. It operates a “ransomware-as-a-service” business where other criminals pay to use its malware and then follows up collect fees in order to release victims’ systems from the ransomware and not share exposed data.
