http
/www.popsci.com/technology/article/2011-05/playstation-network-hackers-used-amazons-cloud-services-launch-their-attack-report-says
So Sony has to say it can protect itself from a brute force attack from a dedicated processing farm that has already been criticized several times by folks since Amazon's service is like giving a battleship to hackers since they can utilize their time however they want.
It was not their fault that this happened, they utilized the industry standard in security, which is very high, and it was overwhelmed by an extraordinary measure (typically botnets which are responsible for most high profile attacks don't have the processing power for a brute force measure against a company this large) which allowed data to be siphoned off.
I am by no means a Sony fanboy, the only product I have of theirs is a PSP, but I believe they acted as swiftly and responsibly as they could. As far as people giving them crap about "it took them 9 days to tell us CC info may have been stolen", let me put it this way, when your anti-virus tells you there is an intrusion, and depending on the software, kills your connection, do you know right away what was compromised? No. Because it is almost impossible to know right away excactly all the data that was affected. Sony's security probably detected an intrusion, and instead of deliberating whether or not it was a big deal, hit the kill switch, as that is the safest thing to do, and then figured out what happened.
I'm honestly surprised they figured out what was taken within nine days, because the information was more then likely copied off of the servers, not removed, to make it less obvious, which means they'd have to check file access logs, and being a large international company I'm sure lots of systems and users access those files all the time, and being that the connection was made behind a proxy (and probably spoofed ips) it would have been even more difficult to determine who is or isn't authorized to connect.
They've made a very generous compensation to the end users of PSN as the service for them is free and as such the level of service agreement says its not guaranteed to be up 24/7 and nothing was actually owed to them, to those credit card numbers that were lost (which was 12 million as not every PSN account has CC attached to it) everyone was guaranteed a liability plan of up to 1 million for any losses, and Playstation+ users were compensated for time lost, which is perfectly fair.