Kodak hacked: ShinyHunters claims 2.2M records

On June 17, 2026, Eastman Kodak Company confirmed it is investigating a data breach after unauthorized access to company information. The extortion group ShinyHunters claims to hold over 2.2 million records including customer and internal data and threatens to publish them. Kodak states there was “temporary access to a limited amount of data.” While neither the exact volume nor the intrusion method is public, this is a classic exfiltration‑then‑extortion scenario. Reference: BleepingComputer. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/kodak-confirms-data-breach-claimed-by-shinyhunters-extortion-gang/))

Why should EU leadership and CISOs/DPOs care? Theft of customer tickets, internal files, or exported datasets immediately triggers security and governance duties under the GDPR. For a structured overview, see our page on the GDPR framework.

The legal framework in scope

• GDPR Article 32 — security of processing: implement “appropriate” technical and organizational measures (e.g., encryption, regular testing, access control). Official text: EUR‑Lex. ([eur-lex.europa.eu](https://www.eur-lex.europa.eu/eli/reg/2016/679/art_32/oj/eng?utm_source=openai))
• Chapter V (Arts. 44‑49) — international transfers: any transfer outside the EEA must comply (adequacy, SCCs, and supplementary measures if needed). Text: EUR‑Lex and CNPD overview: CNPD (international transfers). ([eur-lex.europa.eu](https://www.eur-lex.europa.eu/eli/reg/2016/679/oj?locale=EN&utm_source=openai))
• CNPD — Luxembourg specifics: notion of transfer, adequacy (Art. 45), safeguards (Art. 46), documentation of the legal basis, and EDPB‑recommended supplementary measures. ([cnpd.public.lu](https://cnpd.public.lu/fr/dossiers-thematiques/transferts-internationaux-donnees-personnelles/notion-transfert-donnees-pays-tiers.html?utm_source=openai))

Practically, if datasets (customers, HR, incidents) are copied to infrastructure controlled outside the EEA, you must:

• establish the transfer mechanism (adequacy or Art. 46 clauses/mechanisms),
• assess third‑party access risks (e.g., local laws),
• and, if needed, add technical measures (e.g., client‑side encryption, DLP preventing unencrypted leaks, and robust logging).

The technical approach: flow‑ and evidence‑centric DLP

Goal: prevent, detect, and evidence any unauthorized exfiltration of sensitive data across email, SaaS cloud, browsers, endpoints, or “quiet” channels (APIs, tunnels, archives).

• Data classification and labeling: automated discovery for PII/PHI, financial/health data; tags and policies per sensitivity.
• Exfiltration policies: block/quarantine to USB, unapproved cloud, personal mail; content inspection (IBAN/tax IDs, dictionaries, exact data matching).
• Network and endpoint controls: endpoint agents, proxies/SWG, CASB/CSPM, SMTP/HTTPS rules with decryption in controlled environments per a PIA.
• Encryption and tokenization: enforce client‑side encryption for authorized exports; “encrypt‑or‑block” policies; key vault under your control.
• Logging and forensics: signed/timestamped logs to evidence allow/deny decisions and reconstruct events.

Frameworks:

• ISO/IEC 27002:2022 — control 8.12 “Data Leakage Prevention.” ([nqa.com](https://www.nqa.com/medialibraries/NQA/NQA-Media-Library/PDFs/NQA-ISO-27002-Mapping.pdf?utm_source=openai)) and Open Security Architecture.
• NIST CSF 2.0 — category PR.DS (Data Security). (nist.gov)
• CIS Controls v8 — Control 3 “Data Protection.” (cisecurity.org)

Relevance to the Kodak incident: whether ticketing systems, file repositories, or exported customer databases, well‑tuned DLP would have flagged unusual volumes, unapproved destinations, or sensitive files leaving unencrypted—and often blocked the exfiltration.

How Luxgap delivers this

• GDPR scoping and data protection policy: our outsourced DPO/CISO consultants map processing, define sensitive data categories, and draft exfiltration policies to meet Art. 32 and evidence Arts. 44‑49. If you need an outsourced DPO, see our external DPO service.
• Phased technical rollout: pilot scope (VIP endpoints + email + 2 critical SaaS) in “monitor” for 2‑3 weeks, then “block” on high‑risk scenarios.
• 24/7 managed SOC: DLP+IAM/EDR/Proxy correlation, “low‑and‑slow” detection, immediate notifications, and regulator‑ready incident reports. Learn more about our managed SOC.
• Governance and evidence: compliance dashboards (transfers, exceptions, keys), evidentiary log retention, quarterly reviews.

Real‑world case in Luxembourg/EU

A NIS 2‑covered fiduciary handling cross‑border customer data delivered in 6 weeks:

• discovery/classification over 12 TB of shares and OneDrive,
• “block unless encrypted” DLP on outbound email and web uploads,
• CASB to restrict SaaS targets,
• customer‑controlled KMS key rotation.

Outcome: 78% reduction in non‑compliant egress within 30 days, real‑time visibility of EEA vs third‑country flows, and an evidence pack ready for inspection (GDPR Art. 5(2)/32).

First concrete steps

1. Map three critical egress flows this week: outbound email, cloud sync, SFTP/API transfers. Note who/what/where (EEA vs third countries).
2. Enable DLP “monitor” on these flows with simple rules: PII/IBAN/passport; alert and sample false positives.
3. Enforce “encrypt‑or‑block” for out‑of‑domain emails with PII/health/finance; keep keys in Luxembourg/EEA.
4. For major SaaS (M365, Salesforce, ServiceNow, etc.), set CASB/DLP policies: external sharing “denied by default,” with dated, documented exceptions.
5. Prepare GDPR evidence: data→country→legal basis matrix (Arts. 45/46/49), monthly DLP event review, and decision trails.

Official sources

• Kodak/ShinyHunters incident: BleepingComputer. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/kodak-confirms-data-breach-claimed-by-shinyhunters-extortion-gang/))
• GDPR — Article 32 (security): EUR‑Lex. ([eur-lex.europa.eu](https://eur-lex.europa.eu/eli/reg/2016/679/art_32/oj/eng?utm_source=openai))
• GDPR — Chapter V (international transfers): EUR‑Lex. ([eur-lex.europa.eu](https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=EN&utm_source=openai))
• CNPD Luxembourg — “International transfers” dossiers: CNPD. ([cnpd.public.lu](https://cnpd.public.lu/fr/dossiers-thematiques/transferts-internationaux-donnees-personnelles.html?utm_source=openai))
• ISO/IEC 27002:2022 — Control 8.12 DLP: NQA, Open Security Architecture.
• NIST CSF 2.0 — PR.DS (Data Security): NIST Cybersecurity Framework. ([nist.gov](https://www.nist.gov/cyberframework?utm_source=openai))
• CIS Controls v8 — Control 3 “Data Protection”: Center for Internet Security. ([cisecurity.org](https://www.cisecurity.org/controls/data-protection?utm_source=openai))

Note: this article targets a European (Luxembourg/EU) audience. Adjust DLP thresholds and policies to your risks and transfer legal bases. For hands‑on support, reach out via the Luxgap page.