How stupid
Do they think people are?
The last 4 digits are a standard security question when trying to access other accounts and services, and combine that with the personal contact info and identity theft is a no brainer.
And the bigger question is wtf is the card data doing in the same place as the other website data? It should be held in separate databases and secured separately as well but I guess its a lot easier to stick it all in one database!
If only TalkTalk put as much effort into security as they have put into polishing the current turd this would not have happened.