Holy sh*t. They have no legal obligation to encrypt customers data!!
She is in all probability correct, purely from a legal standpoint.
I would expect that her customers could make a reasonable case of breach of contract, due to her company not securing their data in line with reasonable expectations (you will be hacked, your data will be leaked, the only thing you can do about it is encrypt it properly), and walk away from their contracts.
TalkTalk will make much sound a fury about not being able to do so, but lets face it, they can't sue everyone, and if they start affecting your credit rating, you suing them will in all likelyhood produce a swift settlement.
I've been down this road before with a mobile provider (not Talk Talk, and not due to data leaks), and the issue was resolved, firmly in my favour, within 3 weeks of issuing court procedings.