"The ShinyHunters Group has repeatedly focused on large-scale data theft and extortion, often tied to enterprise platforms and third-party integrations,” says Michael Centrella, Head of Public Policy at SecurityScorecard.
Kodak confirms breach, 2.2 million records claimed
Kodak has confirmed that it suffered a data breach after a threat actor claimed to have stolen 2.2 million records, including internal corporate information and the personally identifiable information (PII) of customers. The group identifying itself as ShinyHunters has claimed responsibility for the attack; Kodak says it is working with law enforcement and external cybersecurity experts and will share additional information “as appropriate.”
ShinyHunters’ recent spree of Salesforce compromises — including Instructure
While the immediate method of compromise at Kodak is not yet known, the source notes that ShinyHunters has recently targeted enterprise platforms and third-party integrations. The group’s activity includes a Salesforce-related breach against Instructure, the parent company of Canvas, placing the Kodak incident in a pattern of compromises tied to business and cloud-integrated applications.
SecurityScorecard's Michael Centrella on access controls and operational risk
Centrella framed the breach as part of a broader strategy: attackers “are not only looking for ransomware opportunities. They are looking for weak access controls and overlooked business systems that can be used to create leverage.” He urged companies to treat data exposure as an operational risk rather than only a privacy issue, recommending limits on how much customer and corporate data is accessible from any one system and validation that vendors and integrations are not creating hidden entry points.
Centrella also emphasized the consequence calculus for companies that continue to operate even when systems remain online: “Even when an organization says there is no threat to systems or operations, the threat of leaking customer PII and internal corporate data can still create legal, reputational, and customer trust consequences.” For a legacy brand like Kodak, he said, the question is not only whether operations keep running but whether customers and partners can trust that sensitive information is being protected.
What this means for Kodak's customers, partners, and procurement teams
- Customers: Those whose PII is implicated will be watching for Kodak’s disclosures about what data was accessed and any remediation or notification steps; the threat actor has threatened to leak the data if Kodak does not make contact by June 18.
- Partners and vendors: Third parties integrated with Kodak or relying on shared platforms should validate whether their own integrations could have provided attackers with a path to data, consistent with Centrella’s concern about “hidden entry points.”
- Procurement and security teams at other enterprises: This incident reinforces attention to limiting broad access to customer and corporate data inside any single system and to auditing vendor and third‑party integrations for potential exposure.
Law enforcement involvement and the June 18 extortion threat
ShinyHunters has reportedly given a deadline of June 18 for Kodak to “reach out” or face the public leaking of the claimed 2.2 million records. Kodak has said it is coordinating with law enforcement and external cybersecurity experts; beyond that public-facing confirmation, the company has not yet released technical details about the incident or the extent of containment. Centrella’s remarks underscore the practical pressures created by extortionists who leverage data disclosure to cause business disruption even without operational outages.
The immediate facts are straightforward: a claimed theft of 2.2 million records, a named extortion group alleging responsibility, and a looming leak deadline. The practical questions remain equally sharp and concrete — what exactly was taken, how the intrusion occurred, whether it has been contained, and what Kodak will do to prevent a recurrence. As Centrella put it, companies “need to be ready to explain what was accessed, how attackers got in, whether the issue has been contained, and what they are doing to prevent it from happening again.”
