Sony failed to follow standard security practices
By its own admission, Sony failed to follow Industry Data Security Standard guidelines when it failed to delete elderly credit card details from its Online Entertainment network, allowing them to be snaffled up by miscreant hackers.
Robin Adams, director of security, fraud and risk management at The Logic Group and - it says here - "a recognised expert in the Payment Card Data Security Standard (PCI DSS)," says Sony inadvertently admitted that it is not compliant with the standard.
Adams points to Sony's comments, regarding the second loss of data it discovered on its servers - that relating to Sony Online Entertainment. Sony said: “Information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained.”