It seems we have a winner in the longest ever undetected intrusion in a insurance network.
That is for sure a deviation from the commonly cited 197 or something days.
What's interesting about this is also, if you stay undetected for 9 years, how far can you move in that datacenter, there must have been traffic flows showing lateral movement. This also shows how hard it is to detect that lateral movement.
"Most disturbing is that an intruder or a malicious program or code could be into the systems and not previously detected. Nine years is beyond the normal refresh lifecycle for most servers."