When it announced the security issue, Equifax acknowledged the personal information of a limited number of Canadian and United Kingdom residents may have been breached as well.
The company has remained mum on how many Canadians were affected, and has not responded to multiple requests for comment.
The Securities and Exchange Commission (SEC) is also looking into the sales and what the executives knew beforehand to see if the move constitutes insider trading.
Equifax said in a statement it is "working diligently with our bank partners to assess and mitigate any impact to their operations".
Several state attorneys general have also said they would investigate, which could result in fines at the state level.
The Equifax breach not only exposed sensitive personal information of 100,000 Canadiands and 143 million Americans, but it also underscored the huge and largely unaddressed vulnerabilities that make widespread identity theft possible. Equifax says the three executives, which includes the company's second-highest ranking employee, its chief financial officer, were unaware of the bigger breach when they sold their shares. On its Canadian website, as of Tuesday morning, Equifax says "only a limited number" of people may be affected but notes that it is still identifying how many.
Refunds for recently placed credit freezes: Equifax intends to automatically refund consumers who used credit cards to place a security freeze on their Equifax credit file starting at 5:00 PM EST on Thursday, Sept. 7, 2017.
Equifax has been working with the Office of the Privacy Commissioner of Canada (OPC) and will be sending notices via mail directly to all impacted consumers outlining the steps they should take.
The breach, he wrote, "has raised serious concerns about the security of private consumer information held by the nation's largest consumer credit reporting agencies". Susan Mauldin, who had been the top security officer, and David Webb, the chief technology officer, are retiring.
Equifax's September 19 breach assessment for Canadian residents.
"The retention of Mandiant in March was unrelated to the July 29 cybersecurity incident", an Equifax spokesperson told Gizmodo in a statement. Meanwhile, The Wall Street Journal cites an unnamed source "familiar with the investigation" as saying that it looks like the hack was probably state-sponsored.