DragonForce Claims Belk Data Breach, Lawsuits Allege Poor Protection

DragonForce Hackers Claim Responsibility for Belk Data Breach

A threat group known as DragonForce has claimed responsibility for a significant data breach at Belk, a North Carolina-based department store chain. The group asserts that they have acquired approximately 156 gigabytes of sensitive company data linked to an attack that took place in May 2025. DragonForce is connected to a series of cyberattacks targeting retail firms across the U.K. and the U.S., and this incident marks one of the latest in a growing list of breaches.

Researchers have associated DragonForce with an earlier attack on Marks & Spencer, highlighting a pattern of breaches connected to a broader campaign attributed to Scattered Spider. Chris Yule, director of threat research at Sophos, commented, "DragonForce operates as Ransomware-as-a-Service — meaning various groups can pay for affiliate access to DragonForce’s leak site." This model complicates the tracing of individual victims due to the varied affiliations of the attackers.

Sophos has shared screenshots from DragonForce's leak site, which were posted on Monday, indicating that the breach occurred in early May. The group, having rebranded in 2023, allows other operators to utilize its hacking infrastructure, making it easier for different groups to launch attacks under the DragonForce name or independently.

As of March, DragonForce had listed around 136 victims on its leak site, with the recent breach at Belk being part of a larger trend of attacks that have also affected notable retailers such as Harrods, Victoria’s Secret, and Whole Foods distributor United Natural Foods.

Scattered Spider has shifted its focus towards the insurance and airline industries after the recent spree of retail attacks.

For more details, visit Cybersecurity Dive and Sophos.

Legal Actions Against Belk

In response to the breach, Belk Inc. faces a pair of class action lawsuits filed in North Carolina. These lawsuits claim that the retailer failed to protect the personal information of its employees and customers, resulting in the cyberattack that has allegedly been concealed from the public.

Law firms involved in these cases include Federman & Sherwood and Milberg Coleman.

The implications of these lawsuits could be severe, particularly as they challenge the retailer’s practices in data security and its response to the breach.

For more information on the class action lawsuits, visit Law360 and Consumer Protection.