The platform holder has followed up its initial statement on the PlayStation Blog explaining that it only found out about the full extent of the breach a day before yesterday's statement was made.
"Theres a difference in timing between when we identified there was an intrusion and when we learned of consumers data being compromised. We learned there was an intrusion 19th April and subsequently shut the services down," SCEE's Nick Caplin explained. "We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly yesterday evening."
Many people feel they should have been informed the moment Sony took down the network. From a company perspective it's understandable why they waited for all the facts; announcing a breach would have caused waves of needless negative publicity if it was later discovered that nothing was taken at all. Not to mention, customers that took precautions cancelling cards would undoubtedly feel peeved when it later turned out their actions were similarly unnecessary.
There's still actually no conclusive evidence that any credit/debit card information is out there. Our best advice is to contact your bank anyway. Keep a close eye on your statement and get a new card reissued if you're feeling concerned. Unless you've got automatic payments set-up, there's really no harm in getting a new card issued and your bank will be happy to oblige.