If whoever cracked Sony open this far takes things one step further they'll be getting corporation information from Sony corporate servers before Sony executives do.
The attack was launched not from outside, but from an application server within Sony's network that was already protected behind a web server and two firewalls.
Successful hacks always chop away some of the confidence customers have in the company that was hacked.
If they handle it well, that confidence can be rebuilt.
Keeping the attack secret for more than a week, giving few details at first about what had been hacked and what kind information had been lost, and assuming a few free offers, a couple of apologies and announcing it had hired a new chief of security were all good steps.
But the CISO job is new, which just emphasizes the low priority Sony put on security before its giant online services were cracked wide open.
The WSJ quotes Sony execs as saying the hackers "may" have taken 12,700 credit-card numbers from customers outside the U.S. and 10,700 U.S. bank account numbers from an "outdated database from 2007."
Not much consolation there, I think.
The FBI is investigating the attacks. Congress is investigating Sony.
It is posting too-little, too-late notices and warnings to customers on the Playstation and SEO networks.
Somehow it doesn't seem as if anything it's done so far or has announced plans to do is going to either improve security much, or rebuild the confidence of customers that giving a credit-card number to Sony is any safer than just emailing it to the return address on unrequested email from the former finance minister of Nigeria.