I wonder how they discovered they were hacked, and how they arrived at the 309,079 records number.
What logs are typically 'left behind' for forensics to analyze after the fact? It's not like they have packet captures of all network communications they can analyze, or a list of every SQL query that was run after the attacker found a way to inject...
Something like they found a SQL dump file that shouldn't exist, looked at its creation date, inspected the log files (e.g., web server logs) and found network activity indicating it had been sent somewhere bad. Or they saw some unusual activity when doing a monthly analysis of web log activity, dug into it, and realized the whole DB had been sucked out through a SQL injection exploit. Or...the possibilities are endless.
Since web servers are most reliably logged even on poorly maintained systems, I'm guessing at least part of the attack hinged on that. It's really common to have servers that end up with no disk space because web logs aren't being rotated and archived/pruned properly.
What logs are typically 'left behind' for forensics to analyze after the fact? It's not like they have packet captures of all network communications they can analyze, or a list of every SQL query that was run after the attacker found a way to inject...