DragonForce Ransomware Group Strikes US Retailer Belk in Major Cyberattack
The US department store chain Belk has fallen victim to a cyberattack by the DragonForce ransomware group, the same threat actor behind the recent £300 million ($403 million) attack on UK retailer Marks & Spencer (M&S). The breach, disclosed in early June via a filing with the New Hampshire Attorney General’s Office, involved unauthorized access to corporate systems and sensitive customer data.
Researchers from Cybernews confirmed the legitimacy of the leak, which includes names, dates of birth, addresses, phone numbers, email addresses, and order histories data that could be exploited by malicious actors, data brokers, or insurance companies for profiling. The exposed information also encompasses store coupons, employee records, and data from Belk’s mobile app infrastructure. While the exact number of affected individuals remains unclear, estimates suggest up to a million users may be impacted, though some accounts are likely test profiles.
DragonForce, which first emerged in 2023, has rapidly expanded its operations, targeting 104 organizations in the past year. The group operates a dark web blog where it lists victims and shares stolen data. In Belk’s case, attackers claim to have exfiltrated 156GB of company data, including backups and employee profiles. The gang initially stated it had no intention of "destroying" Belk’s business but resorted to destructive measures after the company refused to pay the ransom.
The attack has had significant financial repercussions for M&S, forcing its online clothing operations offline, disrupting food supply chains, and wiping over £1 billion from its stock market value. Online sales and trading profits in the affected division have been "heavily impacted" due to the suspension of e-commerce services.
Belk, founded in 1888, operates nearly 300 stores across 16 US states and reported $4 billion in revenue last year. The incident underscores the growing threat posed by ransomware groups like DragonForce, which has also hijacked infrastructure from rival gangs such as BlackLock, Mamona, and RansomHub in a bid to dominate the cybercriminal landscape.
Source: https://cybernews.com/security/dragonforce-belk-data-breach-claims/
Belk cybersecurity rating report: https://www.rankiteo.com/company/belk
Marks and Spencer cybersecurity rating report: https://www.rankiteo.com/company/marks-and-spencer
"id": "BELMAR1770616665",
"linkid": "belk, marks-and-spencer",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Up to 1 million users '
'(estimated)',
'industry': 'Department Store/Retail',
'location': 'United States',
'name': 'Belk',
'size': 'Nearly 300 stores, $4 billion revenue (2023)',
'type': 'Retailer'}],
'data_breach': {'data_encryption': 'Yes (ransomware strain)',
'data_exfiltration': 'Yes (156GB of data)',
'number_of_records_exposed': 'Up to 1 million users '
'(estimated)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information, employee data)',
'type_of_data_compromised': ['Names',
'Dates of birth',
'Addresses',
'Phone numbers',
'Email addresses',
'Order histories',
'Store coupons',
'Employee records',
'Mobile app infrastructure '
'data']},
'date_publicly_disclosed': '2024-06',
'description': 'The US department store chain Belk has fallen victim to a '
'cyberattack by the DragonForce ransomware group, involving '
'unauthorized access to corporate systems and sensitive '
'customer data. The breach was disclosed via a filing with the '
'New Hampshire Attorney General’s Office and includes exposed '
'personal and operational data.',
'impact': {'brand_reputation_impact': 'Significant (stock market value drop '
'for M&S, public disclosure)',
'data_compromised': '156GB of company data, including backups and '
'employee profiles',
'identity_theft_risk': 'High (exposed PII)',
'operational_impact': 'Disruption of online operations, potential '
'supply chain disruptions',
'systems_affected': 'Corporate systems, mobile app infrastructure, '
'e-commerce services (implied from M&S '
'impact)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Potential (group operates '
'dark web blog)'},
'motivation': 'Financial gain',
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (156GB of data)',
'ransom_paid': 'No (refused to pay)',
'ransomware_strain': 'DragonForce'},
'references': [{'source': 'Cybernews'},
{'source': 'New Hampshire Attorney General’s Office'}],
'regulatory_compliance': {'regulatory_notifications': 'Filing with New '
'Hampshire Attorney '
'General’s Office'},
'response': {'communication_strategy': 'Filing with New Hampshire Attorney '
'General’s Office',
'third_party_assistance': 'Cybernews (researchers)'},
'threat_actor': 'DragonForce ransomware group',
'title': 'DragonForce Ransomware Group Strikes US Retailer Belk in Major '
'Cyberattack',
'type': 'Ransomware'}