[sokoloff]

I think you'd also have to demonstrate that Equifax "furnished your consumer report".

If I have $1000 in cash stolen from my house by someone not authorized to work in the US, I'm not liable for an employer violation for not filling out an I-9 form...

[etjossem]

"The term 'consumer report' means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for [credit]."

It's a fairly broad definition. Per press release, Equifax made a data communication of this info to someone who did not show a permissible purpose under § 604.

I would argue that Equifax had months to patch CVE-2017-5638, but they did not. Their web application continued furnishing parts of my consumer report to anyone capable of running https://github.com/mazen160/struts-pwn.