Let me get this straight.
Step 1) Get hacked due to negligence.
Step 2) Implement 2-factor authentication.
Step 3) CHARGE FOR IT.
Step 4) Profit.
Seriously... WTF.
While I realize Adam has clarified this to a certain degree, this whole response has just been clownshoes and this is just yet another example of it. Clearly they're not in the right frame of mind if one of their top of mind concerns is the effect of the cost of sms messaging for authetication on their bottom line.