The other problem is...
The call centers are usually located in other countries so when a call comes through you are not suspicious of the withheld number nor the slightly non-native English person talking to you. They sound a bit foreign, but they have all my details, fair enough must be genuine.
I had this recently with Barclay's who decided (without prompting) to call me regarding an upgrade to the company online banking system. I refused to to talk to the person, she had all the details but without any indication from Barclay's they were doing this, I wasn't biting. Later on I find out the call was genuinely from Barclay's.
Talk talk should be held liable for any customer who is caught out and should be made to pay back any money lost. Then on top of that, a big fine for failing to protect customer data + failing to properly notify customers of the breach.