Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
To paraphrase gaming guru Garnett Lee, "Holy crap, an absolute worst-case scenario security breach and it takes Sony almost a week to own up to it."
For consumers, the fact that Sony waited this long to inform users that their credit cards might have been compromised is an unconscionable delay. That said, from a corporate standpoint, I understand why they did it. This is not a situation where you can afford a "false positive." Announcing that people's accounts have been compromised before understanding the nature of the breach creates unnecessary panic and instantly destroys credibility. There were very few pitfalls for Sony, as a company, to wait and figure things out (Their credibility was already going to be in tatters after this. Waiting a few days longer didn't change that too much, except to make the tatters more fine and decrepit looking).
My guess is, they knew immediately that data had been compromised, but they didn't know how much of it or in what manner (it sounds like they are still figuring that part out). If the scope of the intrusion was limited, they could have made a determination, made a brief announcement and tried to deal with the limited number of people that were affected. But it turned out not to be limited, and now millions of people are pretty pissed about it.
Lots of questions still remain. How did this intrusion take place? Who was responsible? Did one single individual or party really get access to dozens of millions of credit card numbers? Who was affected? And so forth. Whatever the case, this news is huge, and will shape people's perception of the Sony brand and the Playstation Network for years to come.