I am not a legal expert, but unless the guy lost his credit card along with his account access, i.e. if the card details are stored on Sony Servers - then Sony are completely responsible for any fraudulent use. Sony are responsible for all the information on their servers and have a duty of care to ensure that they are stored securely. They could have iris recognition, fingerprint authentication and DNA testing to authorise purchases using the stored information, but they don't. That is their choice, not his. It doesn't matter that the hackers used his account, it is Sony that is sacrificing security for convenience not him, he already had his card details. They are completely and utterly responsible for not checking that it was him that was purchasing the game, and I am sure that they know it. He should sue them for everything he's spent on Sony products and that they have just taken away, and buy a PC.
Also I thought that the PS4 was not going to need to be online in order to play games?