What type of authentication was being used to validate the users that gained entry?
Were the Apache servers and all modules up to date, shielding the system from well-know exploits?
Was all personal identifying data encrypted within the database?
Was the credit card information contain in the profile or stored in a separate or third-party database?
By not implementing hardened and proven techniques to shield from threats in all of these areas, you are inviting crime.
No, the Internet does not make it easy to hack into systems connected to it. That is like saying highways make it easy for thieves to get into your bank's vault. Flaws in security methodologies and implementation provide unauthorized entry.
You stated:
If you had millions of dollars to wreak havoc on a company, you could just go bribe the employees in charge of security, and get all the keys to the servers. So no matter how much "locks" you put on the front door, they are going to come in through the backdoor.
Sony has hundreds of millions invested in the PlayStation Network. If the security of the system was even done in a half-ass way, they would have been able to detect two days worth of traffic, sending the massive amounts of data contained in 77 million profiles out over the internet. Their IDS, Server and Network health monitors should have also picked up on these spikes. For them to realize this after two full days shows utter incompetence. Lying to the public about the theft is another issue of ethics that I will not even get into.
And yes it is true that no single safe is impenetrable... this is why security systems are designed in several layers using different technologies at every level. Think of it as a safe, in a safe, in a safe, in a locked room that has a guard and a third party system monitoring the camera feed. And the stuff in the inner most safe is useless to anyone unless they have a code that is stored in three other secured systems that utilize different technologies for security. The locked system would only provide a limited access token that is only good for a single user and single session... for their own data only.
Sure, a few accounts could be breached because no system is perfect. But it would take many lifetimes to crack 77 million accounts.
SURE! Now go home add add two more deadbolts to your own front door, and don't tell me I didn't warn you.
If I was responsible for your valuable information, as well as 77 million others... Hell, if I was only holding 1 dollar from each of the 77 million people, and everyone in the world knew it... Then I would certainly add additional securities to the place which housed it (and I doubt I would have to change my front door). But, thanks for the warning.