Equifax told the U.S. House of Representatives in a letter made public on Friday that its board of directors formed a special committee to review stock sales by company executives weeks before the credit-reporting service disclosed a massive data breach.
Three senior executives including the company’s chief financial officer sold $1.8 million in shares three days after the company learned on July 29 hackers had breached personal data for up to 143 million Americans.
Equifax announced the breach publicly more than a month later, on Sept. 7. The news sparked public outcry, government investigations, a sharp drop in its share price and a management shake-up.
Equifax lawyer Theodore Hester said in a letter dated Thursday to members of Congress announcing the review that the company “takes these matters seriously” and has retained lawyers.
In response to questions about whether the stock sales violated insider trading laws, Equifax has said the executives did not know about the breach when making their sales, which were not prearranged. The company did not immediately comment Friday.
According to regulatory filings, chief financial officer John W. Gamble Jr sold shares on Aug. 1 for $946,000, while Joseph Loughran III, president of U.S. Information Solutions, sold $584,000 in stock on the same day. Rodolfo Ploder, president of Equifax’s Workforce Solutions business, sold $250,000 worth of stock on Aug. 2.
Get Data Sheet, Fortune’s technology newsletter
Equifax stock (efx) was down 28 cents at $106.10 on Friday, a decline of more than 25% from early September.
The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice.
Earlier this week, the Atlanta-based company said CEO Richard Smith would leave and forgo this year’s bonus.
Congressional committees plan hearings next week with Smith.
Equifax said in a regulatory filing that it might claw back some of Smith’s compensation for this year, depending on results of the board’s investigation into the breach, which the company has said occurred between mid-May and July.
The breach has already prompted the departures of Equifax’s chief information officer and chief security officer.
The hack, among the largest ever recorded, was especially alarming due to the richness of the information exposed, which included names, birthdays, addresses and Social Security and driver’s license numbers, cyber researchers said.