[etjossem]

"The term 'consumer report' means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for [credit]."

It's a fairly broad definition. Per press release, Equifax made a data communication of this info to someone who did not show a permissible purpose under § 604.

I would argue that Equifax had months to patch CVE-2017-5638, but they did not. Their web application continued furnishing parts of my consumer report to anyone capable of running https://github.com/mazen160/struts-pwn.