The unconvincingly apologetic "data security incident" message is accompanied by the usual platitudes and assurances that everything is being done too late to be of any use.
I've just got one of those. It lists all the information anyone would need to pretend to be me to my bank, while saying that everything's bulletproof as my bank would send me a text message to check I'm me. In their world, SIM swapping is not a thing which ever happens. You know, where n'eer do wells use the same leaked information, ring up my phone provider, pretend to be me, get a new SIM card sent out, and then empty someone's bank accounts.
Also, as everything is apparently 100% safe, they don't even offer the year's traditional ID theft protection.
GDPR should be updated so people who write bollocks e-mails like that and then bugger off to play another round of golf should be shot.