Equifax Inc. learned about a major breach of its computer systems in March-- almost five months before the date it has publicly disclosed,according to three people familiar with the situation.

In a statement, the company said the March breach was notrelated to the hack that exposed the personal and financial data on143 million U.S. consumers, but one of the people said thebreaches involve the same intruders. Either way, therevelation that the 118-year-old credit-reporting agencysuffered two major incidents in the span of a few months adds to amounting crisis at the company, which is the subject of multipleinvestigations and announced the retirement of two of its topsecurity executives on Friday.

Equifax hired the security firm Mandiant on both occasions andmay have believed it had the initial breach under control, only tohave to bring the investigators back when it detected suspiciousactivity again on July 29, two of the people said.

Equifax’s hiring of Mandiant the first time was unrelated to theJuly 29 incident, the company spokesperson said. Vitor De Souza,senior vice president for global marketing at FireEye Inc.,Mandiant’s parent company, declined to comment.

The revelation of a March breach will complicate the company’sefforts to explain a series of unusual stock sales by Equifaxexecutives. If it’s shown that those executives did so with theknowledge that either or both breaches could damage the company,they could be vulnerable to charges of insider trading. The U.S.Justice Department has opened a criminal investigation into thestock sales, according to people familiar with the probe.

Equifax has said the executives had no knowledge that anintrusion had occurred when the transactions were made. Thecompany’s shares fell 1.8% in premarket trading Tuesday. Thestock closed at $94.38 on Monday.

New questions about Equifax’s timeline are also likely to becomecentral to the crush of lawsuits being filed against theAtlanta-based company. Investigators and consumers alike want toknow how a trusted custodian of so many Americans’ private datacould let hackers gain access to the most important details offinancial identity, including social security and driver’s licensenumbers, and steal credit card numbers.

In public statements since disclosing the intrusion on Sept. 7,Equifax said it became aware of the breach only after the datataken by the hackers had been gone for months. The company said itdiscovered the incident on July 29 and “acted immediately to stopthe intrusion and conduct a forensic review.” Equifax hiredMandiant to help with the probe on Aug. 2, and said theinvestigators eventually learned that the hackers had accessed thedata in mid-May.

There’s no evidence that the publicly disclosed chronology isinaccurate, but it leaves out a set of key events that beganearlier this spring, the people familiar with the probe said.

In early March, they said, Equifax began notifying a smallnumber of outsiders and banking customers that it had suffered abreach and was bringing in a security firm to help investigate. Thecompany’s outside counsel, Atlanta-based law firm King &Spalding, first engaged Mandiant at about that time. While it’s notclear how long the Mandiant and Equifax security teams conductedthat probe, one person said there are indications it began to wrapup in May. Equifax has yet to disclose that March breach to thepublic.

One possible explanation, according to several veteran securityexperts, is that the investigation didn’t uncover evidence thatdata was accessed. Most data breach disclosure laws kick in onlyonce there’s evidence that sensitive personal identifyinginformation like social security numbers and birth dates have beentaken. The Equifax spokesperson said the company complied fullywith all consumer notification requirements related to the Marchincident.

Even so, the revelation of an earlier breach will likely raisequestions for the company’s beleaguered executives over whetherthat investigation was sufficiently thorough or if it was closedtoo soon. For example, Equifax has said that the hackers enteredthe company’s computer banks the second time through a flaw in thecompany’s web software that was known in March but not patcheduntil the later activity was detected in July.

Security experts say victim companies have wide leeway about howdeep an investigation they want outside investigators to do. Someclients will limit the breadth of access or the time outsideinvestigators can spend on site. Others want a full assessment thatencompasses their entire computer network and could include theidentification of existing security vulnerabilities. Cost is oftena consideration, but the victim company might also believe abreach’s scope is limited.

It’s the stock sales by several executives that are likely toget the most scrutiny in light of the new timeline. On Aug. 1 andAug. 2, regulatory filings show that three senior Equifaxexecutives sold shares worth almost $1.8 million, with none of thefilings listing the transactions as being part of scheduled10b5-1 trading plans. Equifax’s Chief Financial Officer John Gamblesold shares worth $946,374; Joseph Loughran, president of U.S.information solutions, exercised options to dispose of stock worth$584,099; and Rodolfo Ploder, president of workforce solutions,sold $250,458 of stock.

Equifax has said the executives “had no knowledge that anintrusion had occurred at the time,” and the company spokespersondeclined to make them available for comment.

Under the company’s publicly disclosed timeline, there werefewer than a handful of days between the stock sales and thedate Equifax said the breach was discovered. Under the newtimeline, those sales come several months after the March breachbut before the public had any knowledge of major security issues atone of the country’s three big credit-reporting agencies.

The new timeline is also likely to focus scrutiny on an earliersale by Gamble of 14,000 shares on May 23. According to aregulatory filing, which didn’t indicate that the sale was part ofa scheduled trading plan, the value of that transaction was $1.91million, more than twice the size of his Aug. 1 disposal of 6,500shares for $946,374.

If the two hacks are unrelated it could be that differenthacking teams had different goals. One clue has emerged thatsuggests one goal of the attackers was to use Equifax as a way intothe computers of major banks, according to a fourth personfamiliar with the matter.

This person said a large Canadian bank has determined thathackers claiming to sell celebrity profiles from Equifax on thedark web -- information that appears to be fraudulent, or recycledfrom other breaches -- did in fact steal the username and passwordfor an application programming interface, or API, linking thebank’s back-end servers to Equifax.

According to the person and a Sept. 14 internal memo reviewed byBloomberg, the gateway linked a test and development site used bythe bank’s wealth management division to Equifax, allowing the twoentities to share information digitally.

The discovery suggests that the attackers may have been tryingto piggyback off of Equifax’s connections to large banks and otherfinancial institutions as a backdoor way to hack those entities andgain access to sensitive partner systems. The company spokespersonsaid Equifax is “working diligently with our bank partners toassess and mitigate any impact to their operations.”