A computer helpdesk employee with access to sensitive passwords from banks and credit companies has been charged with stealing financial information from more than 30,000 people.
Philip Cummings, 33, has been charged with wire fraud and conspiracy in what is believed to be the biggest case of identity theft in US history.
Authorities estimate that victims lost more than $2.7m (£1.7m), although the exact figure is still undetermined.
Another suspect, Linus Baptiste, has been arrested and a third man, Hakeem Mohammed, has pleaded guilty in related cases, the US attorney's office in Manhattan said.
According to United Press International reports, the suspects allegedly gained information from the major credit reporting bureaux using Cummings's access to passwords belonging to Ford Motor Credit, Washington Mutual Bank and seven other financial institutions.
Cummings is believed to have learnt the passwords and codes after working as a helpdesk employee at Teledata Communications (TCI) between summer 1999 and March 2000.
TCI is a New York company that provides lenders with software, terminals and support to help them access the databases kept by commercial credit history bureaux Equifax, Experian Information Solutions and TransUnion.
Having downloaded hundreds of reports at a time, the suspects allegedly sold the lists of credit card numbers, bank accounts and other personal information for $60 each.
Baptiste was arrested on wire fraud charges last month, after his home number was linked with calls into Equifax's database.
Mohammed pleaded guilty to related mail fraud charges in October, and will be sentenced in January.
If found guilty, Cummings faces up to 30 years in prison and a fine of double the value of the losses identified from the fraud.
He also faces up to five years in jail and a $250,000 (£160,000) fine on the conspiracy charge.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance