Kodak Breach Adds to ShinyHunters’ Growing Data Extortion Wave

Eastman Kodak has confirmed it is investigating a data breach after the ShinyHunters extortion group claimed it stole more than 2.2 million records containing customer personally identifiable information and internal corporate data.

Kodak said an unauthorized third party briefly accessed a limited amount of company data and that outside cybersecurity experts are helping determine what was accessed and copied. The company said it is working with law enforcement and does not believe its systems or operations remain at risk.

The incident puts Kodak on a growing list of organizations facing a newer style of extortion where attackers do not need to encrypt systems to create pressure. Instead, they steal sensitive data, threaten public exposure, and use the legal, reputational, and customer trust fallout as leverage.

ShinyHunters has claimed responsibility for a string of major data theft campaigns tied to enterprise software and third-party platforms, including Salesforce-related incidents, Salesloft Drift compromises, Snowflake customer breaches, and a recent Oracle PeopleSoft campaign. Google’s Mandiant and Threat Intelligence Group recently linked PeopleSoft exploitation to attacks affecting more than 100 organizations, with higher education among the most exposed sectors.

The University of Nottingham was one of the most visible victims in that wave, with attackers claiming access to large volumes of student and alumni records.  Security experts say the pattern shows how extortion groups are increasingly targeting shared systems that can unlock data across many organizations at once.

Raluca Saceanu, CEO of Smarttech247, said the Nottingham incident should be viewed as an early warning rather than an isolated breach.

"It's now clear Nottingham was just the canary in the coalmine. We can expect a series of similar announcements from PeopleSoft customers. Each will be a painful lesson that, in a world of interconnected supply chains, no link can be an island. Open, honest, human communication and collaboration is essential. Coupled with a swift, effective response that follows best practice and protocols we can ensure that every part of the chain operates to the same standards, and blunt the impact of these attacks. Otherwise this will join Canvas, Salesloft and other victims in a long list of lessons that weren't heeded in time.”

Lee Sult, Chief Investigator at Binalyze, said the PeopleSoft activity reflects a familiar criminal calculation: attackers go where one successful compromise can create many victims.

“PeopleSoft is the latest reminder that attackers favour the path of least resistance. Rather than targeting organisations individually, exploiting a central system can provide access to many at once - and it’s clear more victims are still emerging.

“This is unlikely to be the end of the story. Stolen personal and financial data can quickly circulate among criminal groups, enabling follow-on phishing and fraud campaigns that extend the damage well beyond the initial breach.

“With incidents like Canvas still fresh, it’s evident ShinyHunters is refining a model that delivers results. That makes rapid, thorough investigations critical. Both to understand the scope of the compromise and to ensure affected individuals and organisations can take appropriate action.”

For Kodak, the immediate question is how much data was taken, how attackers gained access, and whether any third-party platform, cloud integration, or internal business system played a role. Kodak has not publicly attributed the incident to ShinyHunters, but the group has threatened to leak the data if the company does not engage.

Michael Centrella, Head of Public Policy at SecurityScorecard, said Kodak’s case shows why data theft alone can become a business crisis.

“Kodak’s breach shows how extortion groups are putting pressure on companies by turning stolen data into a business disruption risk. Even when an organization says there is no threat to systems or operations, the threat of leaking customer PII and internal corporate data can still create legal, reputational, and customer trust consequences. For a legacy brand like Kodak, the issue is not just whether operations continue running, but whether customers and partners can trust that sensitive information is being protected. Companies need to be ready to explain what was accessed, how attackers got in, whether the issue has been contained, and what they are doing to prevent it from happening again.

The ShinyHunters Group has repeatedly focused on large-scale data theft and extortion, often tied to enterprise platforms and third-party integrations. That pattern should be a warning to companies that attackers are not only looking for ransomware opportunities. They are looking for weak access controls and overlooked business systems that can be used to create leverage. Companies need to treat data exposure as an operational risk, not just a privacy issue. That includes limiting how much customer and corporate data is accessible from any one system and validating that vendors and integrations are not creating hidden entry points. If attackers can reach valuable data, they do not need to shut down operations to cause damage.”

The broader lesson is blunt: business systems that once sat outside the center of security planning are now prime targets. HR platforms, student information systems, customer databases, SaaS integrations, and support tools can hold enough sensitive data to fuel extortion even when production systems keep running.

For security teams, that means breach readiness can no longer focus only on ransomware recovery. Organizations need to know where sensitive data lives, which integrations can reach it, who has privileged access, and how quickly investigators can reconstruct what happened when an attacker slips through.

Kodak’s breach may prove limited, as the company has said. But the extortion model around it is not. ShinyHunters and similar groups are betting that exposed data, public pressure, and uncertainty can be just as disruptive as downtime. For companies built on trust, that may be more than enough.