Ransomware gang claims credit for Belk data breach. ‘We hope this serves as a lesson.’
A ransomware group has claimed credit for Belk’s data breach in May.
DragonForce stole 156 GB of data from the Charlotte-based department store chain, several cybersecurity news outlets reported Tuesday.
JP Castellanos, director of threat intelligence at Binary Defense, told The Charlotte Observer on Tuesday he rates the claim as “high confidence.” Binary Defense, based in Stow, Ohio, is a cybersecurity company specializing in monitoring, detection and response services.
While searching the dark web Tuesday afternoon at the Observer’s request, Castellanos said the cybercrime gang posted samples of the stolen data with a chilling message for Belk:
“Our intention was never to destroy your business. We provided you with the opportunity to address your negligence and keep your customer data intact, but you chose to refuse payment at the agreement stage as a result, people have suffered and we hope this serves as a lesson for others.”
Belk faced several lawsuits following the data breach that occurred between May 7 and May 11, and for allegedly concealing the cyberattack.
The cybercriminals accessed and stole internal documents from Belk’s systems, including names and Social Security numbers of employees and their family members, according to the lawsuits. As of Tuesday, five lawsuits had been filed against Belk over the data breach.
What happened in the Belk data breach
All Belk department stores had a computer “system shutdown,” The Charlotte Observer reported in May.
The cyberattack was discovered on May 8, according to a data breach notification sent June 4 from Belk to N.C. Attorney General Jeff Jackson’s office. Overall, 586 people were affected, including 133 North Carolina residents, according to the notice.
An unauthorized third-party gained access to certain internal documents with information including account numbers, driver’s license, medical information, passport and Social Security numbers, according to the notice.
Belk promptly responded to investigate the incident and worked with law enforcement on remediation efforts including rebuilding affected servers and deploying additional monitoring and protection security measures, according to the notice.
On June 5, Belk began sending letters to people affected by the data breach.
Belk is offering a 12-month credit monitoring service, which includes credit monitoring, dark web monitoring, identity restoration and up to $1 million identity theft insurance, according to the letter included with the lawsuits.
As of Tuesday, Belk still has not publicly shared information about the breach. And Belk officials have not responded to repeated requests for comment, including on Tuesday.
What is DragonForce?
DragonForce is a hacktivist global group that targets organizations and agencies, Castellanos said. “They are like any criminal, looking for opportunity,” he said. “I think for Belk, it was just an opportunity.”
Like other cybercrime cartels, DragonForce locks down a system so the company can’t do payroll or work its registers, then demands ransom, typically in bitcoin, to unlock the files.
“If their demands are not met, they’ll sell it to the highest bidder on data leak sites,” Castellanos said.
DragonForce did not disclose a bid price for Belk’s data.
Castellanos urged anyone who has shopped at Belk to also start credit monitoring.
About Belk
The Belk family sold its department store chain to private equity firm Sycamore Partners for $3 billion in December 2015.
When the pandemic hit in 2020, the now 136-year-old department store was facing a $2 billion debt load and declining store sales. Belk filed for and emerged from Chapter 11 bankruptcy in February 2021 within 24 hours, cutting its debt load by about $450 million.
Last July, Belk unloaded more than $950 million in debt and gave some lenders controlling interests in the company.
The financial restructuring also included securing $485 million in new financing as part of its strategy to strengthen its financial standing.
Belk has nearly 300 stores in 16 Southeast states, including at least 16 outlet stores. There are two outlets in the Charlotte area at Northlake Mall and Eastridge Mall in Gastonia.
This story was originally published July 16, 2025 at 5:00 AM.
