... All affected members will receive letters of apology, offering two years of free credit monitoring and identity threat protection as compensation, ...
So they're saying that they have such monitoring/protection, but members who aren't explicitly paying extra for such monitoring/protection aren't being protected from identity theft in any way?
Somehow, I don't find this surprising. But I'm a bit surprised that they'd admit it so blatantly and openly.
(Actually, I'm a bit dubious about their implicit claim to have such monitoring/protection already. But it's fairly common for companies to make such claims for PR purposes, without bothering to actually implement what they're claiming to supply until something like this hits them. Maybe they had another similar incident happen sometime in the past, and are finally getting around to doing something about it?)
(And what exactly does "identity threat protection" mean? Google doesn't seem to have any matches for that phrase, and automatically replaces it with "identity theft protection", which doesn't sound like the same thing at all. ;-)