Free credit monitoring is the de facto response in the case of a data breach incident. The organization that was entrusted with sensitive, personal information that can be used to steal the customers’ money or identity (or both) generally picks up the tab for a year of free credit monitoring to keep an eye on things and make sure no suspicious activity occurs. With the rate and scope of data breaches these days, probably just about every American with a bank account or credit card already has free credit monitoring from at least one data breach–but not Citigroup.

Following a data breach that exposed information from as many as 360,000 credit card accounts, Citigroup sent letters to the affected customers with some helpful tips to follow, but it stopped short of offering any actual assistance. That translates roughly to “hey, sorry we didn’t take better care of your data–sucks being you.”

It’s the least you can do Citigroup. No, really–it is literally the least you can do. It is the bare minimum you can offer loyal customers as some feeble apology for violating the trust of your customers and allowing sensitive data to be compromised or exposed. Honestly, the credit monitoring even seems like a paltry apology–but it is better than nothing, and it seems like the most logical course of action for the organization because there is no way of knowing up front which accounts will actually be impacted. Free credit monitoring at least lets customers know you care enough about having exposed their data to offer to keep a proactive eye on things rather than placing the burden on the customers to monitor for suspicious activity themselves.

Citigroup should be examining how the data breach occurred and putting tools and controls in place to ensure it doesn’t happen again. In the meantime, though, Citigroup should step up and offer free credit monitoring.