The clouds surrounding Equifax are growing ever darker. On Monday, Bloomberg cited multiple sources in saying that the credit bureau suffered a major hacking attack in March—one that took place months before the July breach the company disclosed on Sept. 7, which involved thieves stealing personal information from over 140 million Americans.
Meanwhile, additional reports say the Justice Department is launching a criminal probe of stocks sales by Equifax executives that took place after the company discovered it had been hacked. The news of the earlier breach will likely add extra fodder to the criminal investigation—and to class action lawsuits and a Federal Trade Commission inquiry.
News of the earlier intrusion came by way of unnamed sources who told Bloomberg the company hired the cybersecurity firm Mandiant in March to investigate a security breach. Meanwhile, Equifax began alerting corporate customers about the incident:
In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate.
The extent of the March hacking incident is unclear. If the report is accurate, the incident was grave enough for Equifax to tell outside customers—but not enough to tell consumers. Under various state laws, companies must provide notice about material data breaches within a reasonable time. As noted above, Equifax disclosed the July breach on Sept. 7.
The Bloomberg report also suggests the different hacking incidents may have been undertaken by two separate hacking groups.
Meanwhile, banks told the Wall Street Journal they experienced a spike this summer in scammers using data related to credit reports to attempt identity theft—suggesting the hackers have already been putting the stolen data to use. The Bloomberg report contained a similar account.
If the report of the earlier breach is accurate, and if that breach led to hackers stealing consumer data, it will add to the already considerable pressure on Equifax executives, especially those who sold stock. In those cases, Bloomberg notes:
It’s the stock sales by several executives that are likely to get the most scrutiny in light of the new timeline. On Aug. 1 and Aug. 2, regulatory filings show that three senior Equifax executives sold shares worth almost $ 1.8 million, with none of the filings listing the transactions as being part of scheduled 10b5-1 trading plans. Equifax’s Chief Financial Officer John Gamble sold shares worth $ 946,374; Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $ 584,099; and Rodolfo Ploder, president of workforce solutions, sold $ 250,458 of stock.
Other than those who sold stock, however, other executives appear safe from any serious consequences. As Fortune explained in a legal analysis, current U.S. law does not—unlike for harm related to the environmental or food and drugs—provide any criminal penalties for corporate executives that are careless or even reckless with consumer data.
Equifax did not immediately reply to a request for comment about why it did not disclose the March breach.