"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack," he added.
Seybold gave no indication of when Sony expects the PlayStation network to be back up and running.
If past, similar breaches are any indication. Sony is likely to be hit with multiple lawsuits in the coming months. But the vailidity of the lawsuits remains an open question.
Courts have tended to dismiss lawsuits brought by consumers against breached entities such as Sony.
In most cases, courts have held that consumers cannot claim compensatory damages unless they can show that they suffered real harm, such as actual identity theft, because of a breach.
Many courts have held that the mere likelihood that an individual could become a victim of a future identity theft because of a breach is not sufficient grounds for damages. The fact that consumers usually do not have to pay for fraudulent card charges is another factor that courts have frequently cited when throwing out such cases.
One of the few exceptions was a consumer class action against Heartland after the payment processor disclosed a data breach that exposed data stored on tens of millions of payment cards.
In that case, Heartland agreed to pay $4 million to settle a consumer class action lawsuit based on many of the same issues raised in the Sony lawsuit.
Sign up for CIO Asia eNewsletters.