A ransomware group claims to have stolen personal data tied to 2.2 million Kodak customers, but no state breach notification filings have surfaced to confirm the scale of the alleged theft. The gap between the crew’s headline figure and the public record raises a direct question: did the attackers actually export millions of records, or are they inflating a number to pressure Kodak into paying? For the people whose names, emails, or payment details may be in that dataset, the absence of official notifications means they have no way to know whether they are affected or what steps to take.
Why the 2.2 million claim demands scrutiny right now
Ransomware crews routinely overstate the volume of stolen data because bigger numbers attract more media attention and increase pressure on victims to negotiate. The 2.2 million figure attributed to this group has not been matched by any filing in the three state repositories that serve as the most reliable early indicators of a confirmed breach. Massachusetts publishes consumer notification letters through its breach archive once a company alerts residents. As of mid-June 2026, no Kodak-specific letter appears in that archive. The same is true in Maine, where the Attorney General’s office maintains a searchable list of breach notices that often includes the actual notification letters with incident date ranges, data categories, and per-state resident counts. No Kodak filing is listed there either.
These portals are not decorative. When a company confirms a breach and begins notifying affected individuals, state law in Massachusetts and Maine requires it to file with the relevant attorney general. The absence of filings does not prove the breach never happened, but it does mean the 2.2 million figure is, for now, an unverified assertion by the attackers rather than a number confirmed by the company or any regulator. That distinction matters because consumers who see a headline about millions of stolen records may panic, sign up for unnecessary credit monitoring services, or fall for phishing scams that exploit the confusion.
The hypothesis worth tracking is straightforward: the crew’s total is likely an aggregate sales claim, possibly drawn from a customer database count that includes inactive accounts, duplicate entries, or records that contain no sensitive personal information at all. That theory becomes testable once the first state notification letters appear. Each letter typically discloses how many residents of that state were affected. Adding up the per-state counts from Maine, Massachusetts, Pennsylvania, and other filing states will show whether the numbers even approach the 2.2 million mark or fall far short of it.
State portals that would confirm a Kodak breach filing
Three primary government repositories function as the earliest public checkpoints for breach disclosures. Massachusetts requires companies to submit notification letters when a breach affects state residents, and those letters are archived for public review. Maine’s system is similar but often more detailed: the Maine Attorney General list frequently links to the full PDF of the letter sent to consumers, which spells out the type of data exposed, the timeline of the incident, and the number of Maine residents involved. Pennsylvania operates under its Breach of Personal Information Notification Act, which sets notification thresholds for when entities must alert the state attorney general. Together, these three portals create an enforcement trail that reporters, regulators, and affected individuals can follow.
None of these repositories currently contains a Kodak-related filing. That means no official record exists showing incident date ranges, categories of compromised data, or mitigation steps the company may have taken. Without those details, the public record offers no way to verify the ransomware crew’s claim or to assess how serious the exposure might be. Companies sometimes delay notification while they investigate, and state filing timelines vary, so a future filing cannot be ruled out. But the longer the gap persists between the crew’s announcement and any official disclosure, the weaker the case for the 2.2 million figure becomes.
Unanswered questions about the Kodak data claim
Several pieces of information remain missing from the public record. No direct statement from Kodak confirming or denying the breach has been published in the state portals or attributed to the company in the available evidence. The ransomware crew has not released verifiable sample data that would let independent researchers confirm the records are genuine, current, and drawn from Kodak’s systems rather than scraped from older, already-public sources. And no state attorney general has issued guidance to Kodak customers about protective steps, which typically follows a confirmed filing.
The type of data allegedly stolen also remains unclear. A database of 2.2 million email addresses poses a different risk than one containing Social Security numbers, payment card details, or medical information. State notification laws generally distinguish between these categories, and the severity of required consumer remedies, such as free credit monitoring or identity theft insurance, depends on what was taken. Until a filing surfaces, affected individuals cannot gauge their own exposure.
There is also no clarity on the time frame of the alleged intrusion. Notification letters usually identify when unauthorized access began, when it was discovered, and how long attackers remained in the environment. That timeline helps regulators and customers understand whether the company acted promptly and whether older transactions or accounts might be involved. In this case, without a dated notice, it is impossible to know whether the incident-if it occurred-was recent or tied to legacy systems.
Another open question is how the attackers claim to have accessed Kodak’s systems. Ransomware incidents often start with phishing emails, exploitation of unpatched vulnerabilities, or compromised remote access credentials. Companies typically summarize the root cause in their consumer letters, at least in broad terms, and describe what technical safeguards they have since implemented. The absence of such detail leaves observers guessing about whether this was a targeted intrusion against Kodak or an opportunistic hit against a third-party provider that happened to store Kodak-related data.
How consumers can monitor for reliable updates
One practical step is available to anyone concerned. Residents of Massachusetts, Maine, and Pennsylvania can monitor their state attorney general’s breach notification portals directly. These pages are updated as new filings arrive and provide the actual letters companies send to consumers. Checking those portals periodically is more reliable than waiting for news coverage, especially when attackers are loudly promoting their own numbers while companies remain silent.
Consumers who do not live in those three states can still take advantage of the same strategy. Many other attorneys general maintain similar databases or press release pages for breach notices. Searching for a state name alongside “data breach notification” or “attorney general security incident” will usually surface the relevant site. If Kodak eventually files, its notice is likely to appear in multiple jurisdictions where affected residents live, not just where the company is headquartered.
In the meantime, people who have done business with Kodak can take general precautions that do not depend on confirmation of this specific incident. Those include watching bank and card statements for unfamiliar charges, enabling alerts for new sign-ins on major online accounts, and being skeptical of unsolicited emails that reference Kodak, photo orders, or password resets. Attackers sometimes piggyback on high-profile breach claims to send convincing phishing messages, even when they do not actually possess the stolen data they boast about.
Ultimately, the credibility of the 2.2 million figure will be tested not by what the ransomware group posts on its site but by what appears in official records. If future state filings document hundreds of thousands or millions of affected residents, the attackers’ claim will look more plausible. If, instead, the counts are modest-or never materialize at all-the episode will stand as another example of how criminal groups exploit the opacity of breach investigations to amplify their leverage. Until that evidence arrives, the only responsible way to describe the Kodak incident is as an unverified allegation, not a confirmed mass compromise.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
