OK, I resisted the urge to comment on the Sony breach that was reported by the company on April 26 of this year, but in light of recent developments, I can't keep from looking at the apparent gross negligence of Sony in security its information.

The first incident reported consisted of 77,000,000, yes 77 million records containing names, addresses, email addresses, birthdates, PlayStation Network/Qriocity passwords and logins, handle/PSN online ID, profile data, purchase history and possibly credit cards that were obtained.

Then it was released that another 24.5 million records related to users of Sony Online Entertainment were stolen as well in that first attack.
 
The second attack saw names and partial addresses of 2,500 product sweepstakes contestants (from 2001) that had been stolen by attackers and posted on a website hosted on an old web server affiliated with Sony.

Lastly, days after the PSN was brought back online after being down for about 3 weeks, it was discovered that data stolen during the original attack could be used to engineer a phony password reset, effectively breaking in to the user accounts again by knowing the email address and date of birth of the account holder..

Issues to Address
Although mistakes can and do happen to all of us, there are some best practices that were ignored.

Pouring Salt on a Wound - The passwords that were stolen were hashed, but at the time of this writing, it wasn't clear (read disclosed) whether or not Sony used a Salt for it's password encryption. The benefit provided by using a salted password is that a simple dictionary attack against the stored values becomes impractical if the salt is large enough.

This practice would help to mitigate the tremendous loss to Sony

Quick and full disclosure -  Sony took a week to pass on news of the breech to its customers.Additional information was stolen. While not reporting the full extent could be due to Sony not knowing the full extent, it would seem to be in the best interest to fully disclose as much information as quickly as possible following the attack.

Outdated information - Remove outdated information because it is still a source of information to attackers. Information from 2001 was stolen.

Methodologies/Best Practices – If a web server is no longer active/being maintained/patched, please take it offline. The Sony-affiliated website, where the information was posted was inactive and out of date.
It was said that the company was unaware that the web site was accessible to people outside of Sony. A thorough documentation, audit and testing process when the web site went live would help to alleviate situations such as this.