Belk department stores data breach claimed by ransoware gang

Update – 07/15: 586 people are confirmed to have been impacted in this data breach.

Ransomware gang DragonForce today took credit for a May 2025 cyber attack against Belk, a chain of US department stores. DragonForce says it stole 156 GB of data from the company.

Belk on June 5, 2025 notified victims of a data breach that compromised names and Social Security numbers, but it has not disclosed how many people it notified. The cyber attack disrupted both online and in-person operations at Belk stores for several days.

“Specifically, Belk was the victim of a cyber incident in which an unauthorized third party gained access to certain corporate systems and data between May 7-11, 2025,” says Belk’s notice (PDF) to victims. “After discovering the incident on May 8, 2025, Belk worked diligently with third-party cybersecurity experts to determine the source and scope of this unauthorized access. Belk concluded that the third party obtained certain internal documents related to Belk.”

DragonForce lists Belk on its data leak site.
DragonForce lists Belk on its data leak site.

Belk has not verified DragonForce’s claim. We do not know if Belk paid a ransom, how much DragonForce demanded in ransom, or how attackers breached Belk’s network. Comparitech contacted Belk for comment and will update this article if it replies.

Belk is offering victims 12 months of free credit monitoring through Epiq Privacy Solutions ID, which includes $1 million in identity theft insurance.

Who is DragonForce?

DragonForce is a ransomware gang that first started claiming responsibility for attacks on its leak site in December 2023. It operates a ransomware-as-a-service business in which customers pay to use DragonForce’s malware and infrastructure to launch attacks and collect ransoms. DragonForce often extorts victims twice: once for a decryption key to unlock infected systems, and again in exchange for not selling or publicly releasing stolen data.

Since it began, DragonForce has taken credit for 38 confirmed ransomware attacks and made 166 unconfirmed attack claims that haven’t been acknowledged by the targeted organizations.

Five of its targets were retailers, including high-profile attacks on UK retail chains like Marks & Spencer, Co-op, and Harrods. Marks & Spencer is still recovering from DragonForce’s April 2025 attack.

Ransomware attacks on US retailers

Comparitech researchers have logged nine confirmed ransomware attacks on US retailers so far this year, compromising about 65,800 records. Another 127 attack claims have yet to be confirmed.

  • In May 2025, Bruckner’s Truck & Equipment notified 4,458 people following a data breach claimed by Qilin.
  • Crossroads Trading Co notified more than 60,000 people of a February 2025 data breach claimed by Qilin. The attack disrupted points of sale and credit card terminals.

Last year, we tracked 35 ransomware attacks on US retailers that compromised 723,427 records.

Ransomware attacks on US retailers can both steal data and lock down computer systems. Retailers are forced to either pay a ransom or face extended downtime, permanent data loss, and putting customers and staff at increased risk of fraud.

About Belk, Inc

Founded in 1888, Belk is a North Carolina-based chain of department stores with about 300 locations in 16 states. It sells apparel, shoes, cosmetics, home furnishings, and more. Belk employs about 10,600 people, according to external sources.