A Nigerian national has been charged, and others are being sought, in connection with a hack of Los Angeles County emails that might have exposed personal data from hundreds of thousands of people who had business with county departments, officials said Friday.

Kelvin Onaghinor, 37, of Nigeria faces nine counts related to the breach, including unauthorized computer access and identity theft, according to the Los Angeles County Chief Executive Office.

“My office will work aggressively to bring this criminal hacker and others to Los Angeles County, where they will be prosecuted to the fullest extent of the law,” District Attorney Jackie Lacey vowed in a statement Friday.

The same day, the county disclosed that it was the victim of the phishing email attack.

The attack occurred May 13, 2016, when 108 county employees were deceived by an email they believed to be legitimate into providing their usernames and passwords, according to officials.

Some of those employees, according to officials at the county, had “confidential client/patient information” in their email accounts through their county responsibilities.

What was compromised

A forensic examination found that about 756,000 individuals could have been affected through their contact with several departments.

They include: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works, according to county officials.

There was no evidence as of Friday that any confidential information had been released because of the breach. But on Thursday, officials began notifying people that their personal information was exposed and may have been compromised.

That information may have included first and last names, dates of birth, Social Security numbers, driver’s license or state identification numbers, payment card information, bank account information, home addresses, phone numbers, and/or medical information, such as Medi-Cal or insurance carrier identification numbers, diagnosis, treatment history or medical record numbers.

What’s being done now

The day after the attack, county officials said they learned of the breach and put in place strict security measures.

According to the county, directed by the district attorney’s office, notification of potentially affected people was delayed to protect the confidentiality of the investigation and to “prevent further harm.”

L.A. County Deputy D.A. Donn Hoffman of the office’s Cyber Crime Division said it can take time to investigate such cases as the attacker’s digital footprint must be tracked, and because third-parties such as internet service providers often hold essential evidence, which must be obtained through search warrants.

“That’s a time-consuming process,” he said.

Hoffman said the case was still being investigated, and while charges had been filed against Onaghinor, he had not yet been arrested, nor was he believed to be on American soil.

‘Sad reality’

The incident comes amid rising cybersecurity concerns in the U.S. and questions about the extent to which Russian hackers affected the Nov. 8 U.S. election. Intelligence agencies have concluded that Russian hacking interfered in the presidential election with the goal of supporting Republican candidate Donald Trump.

And just Wednesday, Yahoo disclosed that an attack in 2013 compromised more than 1 billion accounts.

It’s the price we pay in our age, experts say.

“The sad reality is, in general, as we want to be robust and flexible and have lots of features in our IT (information technology) systems, we’re going to have security failures along with it,” said Ron Pike, assistant professor in computer information systems at Cal Poly Pomona. “It’s just a reality. Thankfully, cybersecurity is getting better, but right now isn’t a set of perfect solutions.”

Pike said whether the information is used maliciously in such cases depends on whether attackers can make money off it. But even then, at a time when authorities are cracking down and can figure out who hackers are, the reward has to be worth the risk, he said.

Many public agencies have put in place strict rules on what can be shared via email and encryption measures are more stringent than a decade ago, Pike said.

L.A. County officials say they are vigilant.

“These kinds of phishing attacks are on the rise throughout society — and the county has not been immune from that trend,” Joel Sappell, acting director of countywide communications at the Los Angeles County Chief Executive Office, said in a statement. “But we’re always striving to strengthen our security measures and keep our employees educated and trained on how to guard against the growing numbers of cyber intrusions.”

The county is offering free identity monitoring for those who may have been exposed, including credit monitoring, identity consultation and identity restoration.

A call center also has also been set up for anyone seeking more information regarding the incident. The call center can be reached at 1-855-330-6368, Monday through Friday, from 8 a.m. to 5 p.m. PST.

A website has also been established to provide affected individuals with information in numerous languages. Visit www.211la.org/important-notice for more information.

Onaghinor faces 13 years in state prison, if convicted.