Was the attack actually sophisticated? Usually, when megacorporations get pwned, the attack is not sophisticated at all, but they pretend it is (for PR reasons). This page doesn't tell us much about the nature of the attack, which is understandable. And as for what was compromised... almost everything of value?
Given that this is an insurance company, I imagine the attackers were either criminals (who wanted to steal this information for identity theft), or state-sponsored attackers (who would want this information for HUMINT reasons, such as verifying identities or determining good targets).
We won't get any technical details. The fact that this was pulled off and the initial compromise was a year ago means they've got no alarm bells for someone dumping the DB.
It's negligence at it's finest. Here's to hoping for class-action. 2 years free "identity theft protection" (which is useless to consumers until post-theft) and credit-report monitoring (which is free to them, and again only comes up post-theft) is pretty bullsh*t.
> And as for what was compromised... almost everything of value?
If the attacker has been in your "IT systems" for 9 months, you'd have to assume _everything_ has been compromised. All the data those systems stored, all passwords that've been used to log into those machines, everything.
Given that this is an insurance company, I imagine the attackers were either criminals (who wanted to steal this information for identity theft), or state-sponsored attackers (who would want this information for HUMINT reasons, such as verifying identities or determining good targets).