I think blaming the PR team might be a little unfair; their role is to try to make the best of a bad job.
C suite occupants are fair game, though; they created the "bad job" in the first place.
I find myself wondering what the TalkTalk Data Controller has said about the security of customer data; he/she has a statutory responsibility for its protection even if the responsibility doesn't extend as far as ensuring effective cybersecurity.