Re: flailing around to find the actual hacker
I have seen it reported that there were telephone-based social engineering attacks going on for at least a week, and probably longer before the main hacking event took place. I therefore think that the Talktalk vulnerability to an SQL injection attack has been fairly common knowledge in the black hat community for quite a while, with many a script kiddie giving it a go to see what could be extracted.
As the only reported attacks have been social engineering ones, I am inclined to believe Talktalk when they say that no complete bank details could be stolen via this SQLi attack. The script kiddies being rounded up thus far are just the first few muppets with UK IP addresses seen in the logs of Talktalk; small fry and of no real importance at all, though UK police will doubtless be prosecuting with customary verve.
As the main hack event coincided with a major DDOS, I rather think that a larger hacking outfit had a good, long sniff round the original SQLi vulnerability and decided that since Talktalk appeared to be rather bad at security, more than just incomplete bank data might be obtainable if a bit more force were used.
Thus far, very few reports of major thefts from Talktalk customers' accounts seem to be surfacing, so it would appear that at least some of Talktalk's security is decent.