Could you please explain how a bank account could be raided using the victim,s name,e-mail address, partial credit card details etc?
I can understand that a direct debit might be set up using the victim's bank account name and number. However the bank that receives the money bears the onus of proving the transaction was not fraudulent,not the victim.
Most of the claimed consequential losses that I have read of are the result of phishing e-mail or telephone cons. They rely on publicly available directory data and perhaps an e-mail header. There is no requirement for stolen data even if that would make the fraud logistics a little simpler.
I am in no way supporting TalkTalk. They seem to outsource customer support and invoicing systems on the basis of price,not competence. The real problem is the general attitude among large companies who actively sacrifice privacy and security in the name of "user-friendliness" and glitz. TalkTalk,like many large corporations insist that their customers use security-weak mail servers and web browsers in order to to business with them. There is no reason for them to send mail from a server that does not identify itself correctly (PTR records and HELO responses), or for placing code from third-party domains on their web-sites, or using cross-site scripting for payment processing.
This is all part of a culture of technically incompetent senior decision makers. Just try to complain to a large bank or utility company. The standard response is "We are a large organisation, that pays our experts an lot of money. Therefore we must know more about these things than you, even if you are an engineer".