Hirai said investigations showed that the intruders had used "very sophisticated and aggressive techniques" to access the systems and then hide their tracks. "Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the network."
It took investigators until April 25 to figure out what personal data exactly might have been taken, but even at that point the company did not know for sure if credit card data had been compromised, Hirai said.
Despite this fact, Sony decided to inform consumers about the potential compromise of their credit card data on April 26, because it wanted to make sure it was complying with all relevant state breach notification requirements, he said.
On May 1, more than 10 days after it first discovered the intrusion into PSN, investigators discovered that data had also been stolen from the Sony Online Entertainment. That discovery prompted a shut down of the service on May 2.
In all, a total of 12.3 million active and expired credit cards, including about 5.6 million in the U.S., were potentially exposed, Hirai said.
The breach at Sony Online Entertainment resulted in the potential theft of account information belonging to 24.6 million account holders. That breach potentially exposed data on 12.700 credit cards and another 10,700 debit cards, all belonging to non-U.S. customers.
Sign up for Computerworld eNewsletters.