The initial attack was disguised as a purchase, so wasn't flagged by network security systems. It exploited a known vulnerability in the application server to plant software that was used to access the database server that sat behind the third firewall, said Hasejima.

Management at Sony Network Entertainment International, the company that manages the network platform for the two services, wasn't aware of the vulnerability, said Hasejima.

The appointment of a chief information security officer will be one of the measures taken by Sony to ensure such a mistake doesn't happen again, the company said. It also plans to add automated software monitoring systems to help guard against future attacks and to spot unusual network activity.

When services return, Sony will ask all users to change their account passwords.

The company is also planning to offer selected software downloads at no charge and an one month extension for users on the subscription-based PlayStation Plus service.