Belk, the Charlotte-based department store chain with a 136-year legacy, has become the latest target in an increasingly visible campaign of ransomware attacks by the group known as DragonForce.

The breach, which took place between May 7 and May 11, involved the theft of 156 gigabytes of sensitive data spanning employee records, customer information, and company infrastructure. The group published samples of the data on a dark web leak site after ransom negotiations reportedly failed.

The company submitted breach notifications to regulators in early June and began notifying affected individuals shortly after. The stolen data includes structured internal directories, employee files, and customer records sourced from Belk’s mobile infrastructure and core systems.

As of mid-July, five lawsuits have been filed.

Why It Matters: The breach reflects persistent targeting of retail infrastructure by ransomware collectives. It also underscores the operational and legal risks posed by delayed disclosure and a lack of public response. DragonForce is expanding its attacks across industries, leading to more data leaks and lawsuits.

• Attribution and Tactics: DragonForce listed Belk on its leak site alongside partial datasets and a public message framing the breach as a response to failed ransom negotiations. Analysts from Binary Defense identified consistent indicators with prior DragonForce incidents, including the structure of leaked file directories and language used in ransom messaging.

• Content and Exposure: The leaked 156GB dataset includes employee Social Security numbers, medical information, driver’s license data, and internal HR documents. Customer data includes names, email addresses, physical addresses, order histories, and app-related identifiers. Several directories reflect access to backup servers and mobile backend systems.

• Regulatory Disclosures and Response Measures: Belk reported the breach to the North Carolina Attorney General’s office on June 4 and began issuing letters to affected individuals on June 5. The company is offering one year of credit monitoring and identity theft protection, including dark web monitoring and up to $1 million in insurance coverage.

• Ongoing Legal Action: Five civil suits have been filed as of mid-July, alleging that Belk failed to properly safeguard sensitive data and delayed notification of the breach. Plaintiffs include both employees and customers whose data appeared in the breach samples. Allegations focus on negligence and violation of state-level data protection requirements.

• DragonForce Operational Context: The group has been linked to over 100 incidents in the past year, including a high-impact ransomware campaign against Marks & Spencer. Its activity spans sectors and includes extortion as well as disruption of rival leak sites and ransomware cartels. DragonForce’s tactics suggest expansion beyond encrypted lockouts into persistent exposure and reputational harm strategies.

Go Deeper -> Ransomware gang claims credit for Belk data breach. ‘We hope this serves as a lesson.’ – The Charlotte Observer

Marks & Spencer hackers hit US retailer Belk – Cybernews