Belk Data Breach: DragonForce Claims 150GB Theft, Legal Fallout

Belk Cyberattack Overview

Belk Cyberattack
Image courtesy of Security Affairs

Ransomware group DragonForce claimed responsibility for the cyberattack on Belk, a U.S. department store chain, which occurred between May 7 and May 11, 2025. The group reported that they stole 156 gigabytes of data during this incident. Belk's internal notification states, “Specifically, Belk was the victim of a cyber incident in which an unauthorized third party gained access to certain corporate systems and data between May 7-11, 2025.”

Belk is actively investigating the breach with third-party cybersecurity experts and has engaged law enforcement. The company restricted network access, reset passwords, and rebuilt affected systems in response to the attack. Data compromised includes personal information such as names and Social Security numbers.

Further details on the breach can be found from the following sources:

Data Breach Impact

DragonForce Leak
Image courtesy of Security Affairs

As reported, the breach has affected at least 586 individuals, compromising sensitive information. Belk has offered 12 months of free credit monitoring and identity restoration services to those impacted. The attack disrupted both online and in-store operations, leading to significant operational challenges.

Belk's response included working with cybersecurity experts to ascertain the breach's scope and initiating remedial actions. The company has not disclosed whether a ransom was paid to DragonForce, who is known for extorting victims for both data access and non-disclosure of stolen information.

For additional context on the attack, refer to:

Class Action Lawsuits

Belk is facing class action lawsuits in North Carolina, alleging that the company failed to adequately protect the personal information of its employees and customers. These lawsuits claim that the breach was concealed and that Belk did not take necessary steps to safeguard sensitive data.

For further legal developments, see:

Law360 on Belk lawsuits

DragonForce has been linked to other high-profile attacks on retailers, including Marks & Spencer and Harrods, indicating a trend of increasing cyber threats to the retail sector. This attack is part of a broader pattern, where DragonForce operates a Ransomware-as-a-Service model, allowing affiliates to utilize their tools for cyberattacks.

For more insights into ongoing cybersecurity threats, check:

Cybersecurity Dive on retail attacks
Comparitech's report on US retailer ransomware

Explore our services to ensure robust cybersecurity measures for your business. Visit our website for more information.

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.