The clouds surrounding Equifax are growing ever darker. On Monday, the credit bureau confirmed it suffered a major hacking attack in March—one that took place months before the July breach the company disclosed on Sept. 7, which involved thieves stealing personal information from over 140 million Americans.
Meanwhile, additional reports say the Justice Department is launching a criminal probe of stocks sales by Equifax executives that took place after the company discovered it had been hacked. The news of the earlier breach will likely add extra fodder to the criminal investigation—and to class action lawsuits and a Federal Trade Commission inquiry.
The earlier intrusion came to light after Bloomberg reported Equifax hired the cybersecurity firm Mandiant in March to investigate a security breach, and added that Equifax began alerting corporate customers about the incident:
In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate.
The extent of the March hacking incident is unclear. The incident was grave enough for Equifax to tell outside customers—but not enough to tell consumers. Under various state laws, companies must provide notice about material data breaches within a reasonable time. As noted above, Equifax disclosed the July breach on Sept. 7.
“Earlier this year, during the 2016 tax season, Equifax experienced a security incident involving a payroll-related service. The incident was reported to customers, affected individuals and regulators. This incident was also covered in the media,” Equinox said in a statement to Fortune. “The March event reported by Bloomberg is not related to the criminal hacking that was discovered on July 29. Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related. The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event.”
The Bloomberg report also suggests the different hacking incidents may have been undertaken by two separate hacking groups.
Meanwhile, banks told the Wall Street Journal they experienced a spike this summer in scammers using data related to credit reports to attempt identity theft—suggesting the hackers have already been putting the stolen data to use.
If the March breach led to hackers stealing consumer data, it will add to the already considerable pressure on Equifax executives, especially those who sold stock. In those cases, Bloomberg notes:
It’s the stock sales by several executives that are likely to get the most scrutiny in light of the new timeline. On Aug. 1 and Aug. 2, regulatory filings show that three senior Equifax executives sold shares worth almost $1.8 million, with none of the filings listing the transactions as being part of scheduled 10b5-1 trading plans. Equifax’s Chief Financial Officer John Gamble sold shares worth $946,374; Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099; and Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock.
Other than those who sold stock, however, other executives appear safe from any serious consequences. As Fortune explained in a legal analysis, current U.S. law does not—unlike for harm related to the environmental or food and drugs—provide any criminal penalties for corporate executives that are careless or even reckless with consumer data.
This story was updated to include a statement from Equifax.