The Justice Department is investigating whether senior executives at the credit monitoring company Equifax, which is already under fire for its handling of a mammoth security breach, broke insider trading laws, according to sources at Bloomberg.

The investigation will focus on three top executives at the company who sold off nearly $2 million in stocks before disclosing to the public that the company had been the victim of a massive cybertheft. Bloomberg said one of the executives in the government’s crosshairs is the company’s chief financial officer, John Gamble.

The move means that these Equifax executives could soon be facing criminal charges.

Equifax announced on September 8 that Social Security numbers and other highly sensitive information for 143 million of its customers had been stolen, a disclosure the company made a full six weeks after the company discovered the breach. The Justice Department will investigate whether Equifax’s executives sold stocks based on information not yet available to the public. The probe will not delve into Equifax’s decision to wait six weeks to inform consumers they had been breached — a set timeline for companies to inform customers that they’ve been hacked is unregulated on a federal level, and waiting to disclose is common practice.

Several days after the company was internally informed about the hack on July 29, Gamble, president of US information solutions Joseph Loughran, and president of workforce solutions Rodolfo Ploder all sold off their stocks. Since news of the hack went public, Equifax’s stock value has dropped 35 percent and continues to fall.

Equifax denied in a statement to Bloomberg that the company’s executives were aware of the breach at the time of the stock sale. The Justice Department has yet to comment on the probe.

The Justice Department joins a slew of government and congressional probes into Equifax and its handling of the hack. The Federal Trade Commission, Consumer Financial Protection Bureau, Senate Finance Committee, and other congressional committees have all announced probes into the company. Equifax has also been hit with a growing number of class-action lawsuits.

The Equifax hacks are one of the worst data breaches of all time

What sets Equifax’s latest breach apart has less to do with numbers — Yahoo’s data breach last year affected 500 million accounts — and more with the value of the data stolen. Still-unknown hackers gained access to a trove of names, birthdates, Social Security numbers, and addresses of Equifax users. With so much personal information, criminals can easily apply for fraudulent loans, open bank accounts or credit cards under the name of unsuspecting victims, or carry out other crimes.

It hasn’t helped that Equifax has handled the situation incredibly poorly. After disclosing the hack six weeks after it was discovered, Equifax sought to make good with customers by offering free credit monitoring and identity theft protection. But any customers who signed up for the deal might automatically waive their right to join a class-action lawsuit against the company.

After public outrage, the company made clear that the clause did not apply to the latest hack. Still, some 30 lawsuits against the company have already been filed.

Complicating the matter even further, some individuals may have had their sensitive personal information handled by Equifax without choosing to sign up for it. Any credit report that gets pulled, such as for background checks for loans or to get approved to rent an apartment, could be from one of the big three credit agencies, including Equifax.

That means the potential number of victims is enormous. In addition to the 44 percent of the US population affected by this hack, an unknown number of customers in the United Kingdom and Canada were also hit.

What to do if you think you’ve been hacked

Anyone concerned that they were affected by the hack should check their credit accounts immediately for any suspicious activity, set up a fraud alert, and watch their credit card and bank accounts. You could also freeze your credit account to prevent anyone from fraudulently applying for your credit. It’s also a good idea to set up two-factor authentication on important financial accounts to deflect hackers with stolen information. (There are several good guides on what to do if you’ve been hit by this attack, including these suggestions from CNN and CNET.)