The problem is it's hard to determine exactly who--or even where--the culprit really is.
Instead we need to put consequences on these companies for creating these troves of spy-data in the first place.
Imagine if the problem was: "Foreign hackers need to face consequences for making cars explode." Sure, prosecuting them is a good idea, but the first priority should be to stop making cars that can be exploded by anyone.