The saga of Equifax's massive 2017 data breach continues, as the Justice Department this morning announced formal charges against four members of the Chinese military allegedly behind the hack.

Attorney General William Barr today made public an indictment (PDF) filed in federal court in Atlanta (where Equifax is based). Four members of the People's Liberation Army are charged with hacking into the company to steal both individuals' data and company trade secrets. The men used a known vulnerability in Apache Struts to enact "a deliberate and sweeping intrusion into the private information of the American people," Barr said.

All four men—Wang Qian, Xu Ke, Liu Lei, and Wu Zhiyong—are members of the Chinese army's 54th Research Institute and face a total of nine charges, including computer fraud, wire fraud, and economic espionage, as well as conspiracy to commit computer fraud, wire fraud, and economic espionage. "This was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military,” Barr said.

Equifax disclosed the probable worst-ever leak of US individuals' data in September 2017. Eventually, Americans learned that over the course of three months, unauthorized persons took from Equifax data pertaining to 150 million individuals, including names, Social Security numbers, dates of birth, driver's license numbers, phone numbers, and email addresses. More than 200,000 consumers' credit card numbers were also accessed. Equifax, in its role as one of the "big three" credit agencies, has access to virtually all consumer data, with no way for individuals to opt out.

The company reached a settlement in July with state and federal regulators over its role in the breach. At least $300 million goes into a fund to pay for credit monitoring services for "affected customers," which includes more than 40% of the entire US population. That fund may be boosted by another $125 million if the initial $300 million isn't enough to compensate all consumers who make claims.

Equifax also agreed to pay another $175 million in fines to be split up among the 50 attorneys general who filed suit, representing 48 states, Washington DC, and Puerto Rico, and $100 million in penalties to the Consumer Financial Protection Bureau.