If Your Data Was in Kodak’s Breach: What Your Data Breach Response Should Look Like Right Now

June 22, 2026
by
Abhijay Bhatnagar
deleteme

If your name or company shows up anywhere near the Kodak breach chatter, you don’t need panic. You need a plan that starts today. Kodak says an unauthorized party had temporary access to a limited amount of company data and that they engaged outside cybersecurity experts and law enforcement.  ShinyHunters claims something bigger: over 2.2 million records with customer PII and internal corporate data, with leak threats attached.  Here’s how to respond when the public facts are thin, the attacker claims are loud, and your risk window is open right now.

What’s confirmed vs. what’s claimed (and why you must separate them)

When a data breach is still unfolding, you’ll almost always see two competing stories: the company’s early statement (careful, limited) and the attacker’s post (loud, specific, time-pressured). If your data might be tied to the Kodak data breach, your job is to separate those narratives so you can act fast without getting pulled into the attacker’s theater.

What’s confirmed right now (Kodak’s statement)

Kodak has publicly said they discovered that an unauthorized third party gained temporary access to a limited amount of company data. They also said they engaged external cybersecurity experts to investigate what data was accessed and copied, and that they’re working with law enforcement. Kodak added they’re confident there’s no threat to systems or operations and they’ll share updates as appropriate.

That’s the “known-knowns” bucket. It’s intentionally narrow. Early breach statements usually are.

What’s claimed (ShinyHunters’ allegation)

ShinyHunters—an extortion group—has claimed responsibility and alleged they stole over 2.2 million records, including customer PII (personally identifiable information) and internal corporate data. They also used classic extortion tactics: a “final warning” message and a stated date (June 18, 2026) tied to leak threats.

That’s the “attacker-claims” bucket. It might be exaggerated. It might be accurate. Either way, it’s designed to force rushed decisions.

The practical takeaway: treat claims as signals, not facts

Here’s the mistake people make: they either dismiss the attacker completely (“they’re lying”) or they repeat every detail as truth (“2.2 million records leaked!”). Both choices burn you.

Instead, treat unverified claims as operationally useful signals:

  • Signal of data theft risk: If an extortion group is talking about records and PII, assume data exfiltration is on the table until proven otherwise.
  • Signal of social-engineering risk: Even “limited access” can still yield enough real details (names, emails, invoices, org charts) to power phishing and vendor fraud.
  • Signal to start containment and scoping now: You don’t wait for perfect facts to tighten controls, rotate credentials, and monitor for misuse.

What you don’t do: repost their deadline, argue about the record count on social media, or forward screenshots around internally with commentary. That turns you into their distribution channel.

If you keep “confirmed vs. claimed” clean in your head, your next steps get simpler: protect accounts, reduce fraud risk, and push your organization (or vendor) toward a scoped, evidence-based incident response—without letting ShinyHunters set the agenda.

If you’re a customer or partner: assume PII exposure and cut off the easy damage

If there’s even a chance your details were part of what ShinyHunters says they took (customer PII plus internal corporate data) , your best move is to act like your contact info is now “known” to criminals. The goal for the next 48 hours is simple: make that data hard to use.

Next 48 hours checklist (do this in order)

  1. Lock down the account that resets everything: your email

If an attacker can get into your email, they can reset passwords across your life.

  • Change your email password (use a long passphrase).
  • Turn on MFA (authenticator app or security key beats SMS when available).
  • Check email forwarding rules and “filters” for anything you didn’t create.
  • Log out of other sessions/devices if your provider supports it.
  1. Reset passwords where the damage spreads fastest

Hit these next:

  1. Banking + payments (bank logins, PayPal, cards, payroll portals)
  2. Primary business tools (Microsoft 365/Google Workspace, CRM, accounting, HR)
  3. Anything Kodak-adjacent (vendor portals, partner dashboards, shared file tools)

Rule: don’t reuse passwords. A breach turns password reuse into a chain reaction.

  1. Tighten “money movement” at your company (partners especially)

Extortion crews love turning stolen PII + internal context into invoice fraud and BEC-style requests.

  • Add a policy: no bank detail changes over email.
  • Require out-of-band verification (call a known number from your system, not the email signature).
  • Flag “urgent” payment language and last-minute routing changes as automatic hold/review.
  1. Credit protection: freeze beats “wait and see”

If the exposed data could include identifiers (address, DOB, government ID, tax info), you want to stop new-credit fraud before it starts.

  • Place a credit freeze if you can. It blocks most new-account openings.
  • Use a fraud alert if you can’t freeze right away (it’s lighter-weight and relies more on lenders checking).
  1. Assume phishing will get personal (because it can)

ShinyHunters explicitly claimed access to customer PII and internal corporate data . That combo is what makes phishing feel “real.”

Watch for:

  • Messages referencing real projects, purchase orders, coworkers, or “ticket numbers”
  • Password reset prompts you didn’t trigger
  • Calls that sound informed but push you to “confirm” details

One habit that helps immediately: stop giving out your real contact details everywhere. A masked email or phone number (like what Cloaked provides) can keep future breaches from becoming a direct line to your main inbox or cell. It doesn’t fix today’s incident, but it reduces how much “easy damage” attackers can do with leaked PII.

A quick, relatable gut-check

If you’re thinking, “I’d spot a scam,” you might… until the email uses your real name, your actual vendor, and the right internal wording. That’s the whole point of stealing PII. Your job is to make their stolen info go stale fast.

If you’re the organization: a no-nonsense breach response playbook (scope → contain → verify)

Once the outside world is taking action, your job is to get to facts fast. Kodak has said they engaged external cybersecurity experts to investigate what data was “accessed and copied,” and that they’re working with law enforcement . That’s the right direction. The gap is what happens next: proving scope and containment with evidence, not confidence.

Scope: figure out what happened (without destroying proof)

  1. Freeze the scene (yes, even in SaaS)
  • Start an incident timeline: first alert, first confirmed access, key actions taken.
  • Preserve identity and access evidence before retention windows roll over:
  • SSO/IdP logs (Okta/Azure AD/Google): logins, MFA events, risky sign-ins, session creation
  • Email logs: inbox rules, OAuth grants, unusual forwarding, admin actions
  • VPN/ZTNA logs: new devices, new geos, odd login times
  • SaaS audit trails: CRM/ERP/file sharing exports, admin role changes, API token creation
  1. Identify the access path (initial entry)

Common starting points in data-theft extortion cases:

  • Stolen credentials + weak/no MFA
  • OAuth app abuse (malicious “consent”)
  • Over-permissioned service accounts / API tokens
  • Compromised vendor or integration account

Your IR lead should be able to answer: “Which identity did they use?” before debating record counts.

Contain: stop the bleeding before you “clean up”

  1. Cut off attacker access decisively

Do this in a controlled wave so you don’t lock out your own responders:

  • Disable or reset compromised accounts
  • Revoke sessions / refresh tokens in IdP and key SaaS tools
  • Rotate secrets:
  • API keys, service account creds, CI/CD tokens
  • SaaS integration tokens (CRM ↔ marketing ↔ support)
  • Privileged admin accounts (and remove standing admin where possible)
  1. Block likely exfil routes

If an attacker got “temporary access,” they can still copy a lot quickly .

  • Restrict bulk export features (temporarily) in CRM/data platforms
  • Add conditional access rules (geo/device/risk-based)
  • Turn on alerts for:
  • Mass downloads
  • Unusual API calls
  • Large mailbox access
  • New OAuth apps and privilege grants

Verify: prove what data was accessed/copied (and what wasn’t)

  1. Confirm exfiltration signals (look for “how,” not just “what”)

You’re hunting for evidence like:

  • Large data exports (CSV/JSON) from CRM/ERP
  • Repeated object queries via API
  • Spikes in download volume from cloud storage
  • New sharing links created at scale
  • Email archive exports, mailbox delegations, or eDiscovery actions

If ShinyHunters is claiming customer PII and internal corporate data , your verification needs to map to those categories:

  • Which systems store customer PII?
  • Which identities accessed them?
  • What queries/exports/downloads occurred?
  • What time window?
  1. Validate containment (the part teams skip)

Don’t stop at “operations are safe” until you can show:

  • No active attacker sessions
  • No unknown admin accounts / API tokens
  • No persistence mechanisms (OAuth apps, forwarding rules, new MFA devices)
  • Monitoring is in place for re-entry attempts

Who owns what (so nothing falls on the floor)

  • Security/IR lead: scope, evidence, containment plan, tooling
  • IT/Ops: account resets, endpoint actions, SaaS config changes
  • Legal/Privacy: notification thresholds, regulator triggers, law enforcement coordination
  • Comms: internal updates, customer messaging, press handling (facts only)
  • Finance/Procurement: payment controls, vendor change verification, invoice holds

Bring in outside incident response early (not after the leak)

Kodak said they engaged outside cybersecurity experts . If you’re dealing with a credible extortion-driven data theft scenario, do the same as soon as you suspect unauthorized access—especially if:

  • You lack centralized logging across IdP + SaaS + endpoints
  • You can’t confidently measure data exports/API activity
  • You need defensible reporting for customers, regulators, or insurers

Early help shortens the “unknown” window. And in extortion cases, that window is where the real damage piles up.

Extortion-driven incidents: communicate clearly without giving attackers extra leverage

When an extortion group is making public claims, they’re trying to control two things: your timeline and your narrative. ShinyHunters’ Kodak post uses the usual pressure pattern—big numbers, scary language, a deadline, and leak threats 【】. Your communications plan has to work in that environment without becoming their megaphone.

Messaging rules that keep you credible (and reduce harm)

  1. Stick to verified facts only

Say what you know, not what you’ve heard.

  • Confirm you detected unauthorized access and that an investigation is active.
  • If you don’t know the size yet, say: “We’re still determining what data was accessed or copied.”
  • Don’t repeat attacker claims like “2.2 million records” as if it’s confirmed 【】.
  1. Say what you’re doing next, in plain language

People don’t need security poetry. They need to know you’re moving.

  • “We’ve contained the issue and are validating what was accessed.”
  • “We’re working with outside incident response specialists.”
  • “We’re coordinating with law enforcement.”

Kodak’s public line hits this pattern: engaged external cybersecurity experts, working with law enforcement, and will share updates as appropriate 【】. That’s a solid baseline. The difference-maker is how consistently you execute it.

  1. Give timelines without making promises you can’t keep
  • Commit to the next update window (example: “within 72 hours”) rather than a full resolution date.
  • If you must delay notification while investigating, explain the reason clearly (legal should guide the wording).
  1. Don’t publish attacker demands, deadlines, or “final warnings”

Even referencing the date can amplify pressure and drive panic. ShinyHunters explicitly used a deadline tactic in the Kodak claim 【】. You can acknowledge “an extortion claim” without repeating their script.

The operational side: comms isn’t a press release, it’s a control

  1. Align fast with law enforcement and regulators

You want one source of truth across:

  • Legal + privacy (notification obligations)
  • Security/IR (what’s verified)
  • Executive sponsor (risk decisions)
  • Comms (how you say it publicly)

If your org is coordinating with law enforcement, say it. Kodak did 【】. It signals seriousness without implying outcomes.

  1. Decide notification triggers early (and document them)

You don’t need perfect scope to plan notifications. You need:

  • A working definition of what counts as customer PII exposure in your environment
  • A threshold for “confirmed access” vs “confirmed exfiltration”
  • A list of jurisdictions/contractual obligations that change your clock

Write this down as decisions get made. It keeps you consistent when pressure spikes.

  1. Support customers with guardrails, not vague warnings

If attackers claim they have customer PII and internal corporate data 【】, assume customers will get convincing messages. Your outreach should include:

  • A dedicated support channel (single URL/phone number, staffed and briefed)
  • Verification steps customers can follow:
  • “We will never ask for your password or MFA code.”
  • “We will not request payment or bank changes by email.”
  • “If you get a message claiming to be us, forward it to [security@…] and call our published number.”
  • A short phishing script for your own teams:
  • “I can’t act on this request from email alone. I’m calling the number we already have on file.”

A simple test before you hit “send”

Ask one question: Does this message help customers protect themselves, or does it help the attacker apply pressure?

If it repeats their claims, their deadline, or speculates on record counts, it’s probably doing the attacker a favor.

Reduce your exposure next time: shrink the data you hand out (practical moves, not promises)

Extortion works because stolen data stays useful. ShinyHunters’ Kodak claim is a good reminder of the blast radius they’re aiming for: customer PII + internal corporate data in one grab 【】. If you want fewer sleepless nights next time, don’t just “improve security.” Reduce what exists, where it lives, and who can pull it out.

1) Data minimization: collect less, keep it for less time

This is boring. It’s also effective.

  • Stop collecting optional PII (if a field isn’t needed for delivery, billing, or legal, cut it).
  • Put a timer on sensitive data:
  • Auto-delete old tickets, chat transcripts, and form submissions that contain PII
  • Expire stale customer records that are no longer active
  • Store “nice-to-have” enrichment data separately from core customer records.

A good rule: if losing it would force you into mass notification, it should have a short shelf life.

2) Compartmentalization: don’t let one access path open every drawer

A lot of real-world damage happens when systems are too connected.

  • Separate systems by purpose:
  • Support shouldn’t have full CRM export rights.
  • Marketing tools shouldn’t hold the same identifiers as billing.
  • Use role-based access like you mean it:
  • Remove standing admin access.
  • Approve privileged access only when needed, for limited time.

3) Put hard limits on exports (because “read access” becomes “copy access” fast)

Attackers don’t need ransomware to hurt you. They need downloads.

Set controls that make mass exfiltration harder:

  • Disable or restrict bulk export features in CRM/ERP where possible.
  • Alert on high-volume exports and unusual API activity.
  • Restrict API tokens and integration accounts to the minimum objects they need.

If an extortion group is publicly claiming “millions of records,” they’re usually talking about bulk movement, not single-record lookups 【】.

4) Stop using permanent identifiers everywhere (this is where most teams slip)

Even if you tighten systems, partners, vendors, and sign-up forms still become leak points. The fix is simple in concept: don’t make your real email and phone number the master key to everything.

For individuals and teams, tools like Cloaked help by creating masked emails and phone numbers you can use for vendor accounts, demos, forms, and one-off relationships. If that third party gets breached, the attacker doesn’t automatically get a clean line to your real inbox or number. It’s not a silver bullet, but it’s a practical way to shrink the downstream harm when PII gets passed around too freely.

5) Make “less data” a real KPI, not a slide

If you can’t measure it, it won’t happen.

Track:

  • Number of systems storing customer PII
  • Number of users who can export customer lists
  • Retention periods actually enforced (not “policy says”)
  • Count of third parties receiving customer identifiers

This is how you turn “reduce breach impact” from a slogan into an operating habit.

View all

2026 Data Breach Tracker: Latest Incidents and Recovery Steps

Data Breaches
by
Arjun Bhatnagar

Was Your Medtronic Data Exposed in This Data Breach—and What Should You Do Next?

Data Breaches
by
Abhijay Bhatnagar

Could Your Employee Data Be in the Kubota Data Breach—and What Should You Do Next?

Data Breaches
by
Arjun Bhatnagar