Kodak Confirms Data Breach After ShinyHunters Claims Theft of 2.2 M Customer Records
What Happened — ShinyHunters, an extortion group, announced it had stolen more than 2.2 million records containing customer personally‑identifiable information (PII) and internal corporate data from Eastman Kodak. The company confirmed a breach, says the incident was limited in scope, contained, and poses no immediate threat to its systems.
Why It Matters for Compliance & Audit Readiness
- A data‑exfiltration event of this size triggers SOC 2 CC6 (Confidentiality) and privacy‑law obligations (GDPR, CCPA) that must be documented with evidence of controls and response.
- Continuous privacy‑control monitoring (e.g., consent management, DSAR readiness) provides the audit trail needed to demonstrate due diligence after an extortion‑driven leak threat.
- Verisq’s CookiePLUS capability helps map privacy controls to regulatory requirements and supplies real‑time evidence for SOC 2 and privacy audits.
Who Is Affected – Consumers and business customers of Kodak (manufacturing & consumer‑goods sector) whose PII was exposed.
Recommended Actions
- Align your data‑classification and privacy policies with SOC 2 CC6 and applicable privacy statutes; capture evidence of encryption, access logging, and consent records.
- Update incident‑response and breach‑notification playbooks to include extortion‑driven leak scenarios and DSAR handling.
- Conduct a privacy impact assessment (PIA) and verify that consent mechanisms and data‑subject request processes are auditable. Source: Malwarebytes Labs
Technical Notes – The exact entry vector remains unknown; ShinyHunters historically leverages social engineering, bribery, and zero‑day exploits in supply‑chain attacks. Stolen data includes names, email addresses, and possibly payment‑related fields. Source: same as above