To me it makes sense to keep good records of security events so if I were to get this "signal" I'd make sure the details were captured and the appropriate people informed. Then I'd double check the obvious things like who logged into the database server that day, who had access to backups, who may have worked on database code in that time, when that code was last (or ever) audited and so on.