Kodak has confirmed a data breach after threat actors claimed to have stolen 2.2 million records, including internal corporate data and the personally identifiable information (PII) of customers. 

The group ShinyHunters has claimed responsibility for the attack. While it is currently unknown how Kodak’s systems were breached, ShinyHunters has gone on a spree of Salesforce compromises in recent months, including the breach against Instructure, the parent company of Canvas. 

“The ShinyHunters Group has repeatedly focused on large-scale data theft and extortion, often tied to enterprise platforms and third-party integrations,” says Michael Centrella, Head of Public Policy at SecurityScorecard. “That pattern should be a warning to companies that attackers are not only looking for ransomware opportunities. They are looking for weak access controls and overlooked business systems that can be used to create leverage. Companies need to treat data exposure as an operational risk, not just a privacy issue. That includes limiting how much customer and corporate data is accessible from any one system and validating that vendors and integrations are not creating hidden entry points. If attackers can reach valuable data, they do not need to shut down operations to cause damage.”

ShinyHunters has threatened to leak the data if the organization does not reach out by June 18. 

A spokesperson from Kodak told Security magazine, “Kodak recently discovered that an unauthorized third party illegally gained access to a limited amount of company data. We promptly launched an investigation, and external cybersecurity experts were engaged to assist. Although our investigation is ongoing, we are confident the incident was limited in scope and has been contained and that there is no threat to our systems or operations as a result of the incident. We have also notified law enforcement and are continuing to support their investigation. We will share additional updates as appropriate.”

“Kodak’s breach shows how extortion groups are putting pressure on companies by turning stolen data into a business disruption risk,” Centrella asserts. “Even when an organization says there is no threat to systems or operations, the threat of leaking customer PII and internal corporate data can still create legal, reputational, and customer trust consequences. For a legacy brand like Kodak, the issue is not just whether operations continue running, but whether customers and partners can trust that sensitive information is being protected. Companies need to be ready to explain what was accessed, how attackers got in, whether the issue has been contained, and what they are doing to prevent it from happening again.”