No, actually, with proper security it _couldn't_ happen. I worked for a very large financial company; I had root access to every unix machine in the company. Even if my account had been compromised, it wouldn't have allowed the attacker to steal massive amounts of data quickly, because the data was encrypted. It would probably have been possible to manage to dig out the necessary info to gain SQL access to one of the DBs if you had control of my account, but trying to pull _all_ of the data out that way would have triggered alarms. Further, a database from 2007 that still contained personal data should have not been online. Sorry, Sony (like far too many companies) simply didn't consider security to be worth the hassle.
Sony Online loses 12,700 credit card account numbers, 24.6 million accounts compromised [update 2]
May 3rd 2011 9:32AM (Joystiq)