If I recall correctly, US Congress passed a resolution [1] shortly after the Equifax breaches became public that essentially restricted the capabilities of people to sue Equifax [2].
I believe the prohibition on ex post facto laws applies only to criminalization of behavior that was previously lawful. That is, it would not apply to civil matters of any sort, and it also would not apply where immunity is effectively conferred—only where prior actions are made illegal.
Upon quick searching, it looks like scholars have debated the civil/criminal point:
You can't be convicted for something that was legal when you did it but was made illegal afterwards, so retroactive prohibitions don't apply.
However, it's not symmetric - lifting prohibitions can be done retroactively, to not prosecute people for things they did back when it was still prohibited.
Unfair, arbitrary prosecution may violate someones rights, but unfair, arbitrary immunity can not - there's no right to get someone else punished.
I believe Equifax is currently facing 240 state and class-action suits. Still doesn’t seem the appropriate way to handle an entire nation being affected by their failure.
Unless those actions pool resources and forces, Equifax stands a good chance of defeating most of them in detail. String most along, cherry-pick the most likely to prevail against (with a combination of lobbying, legislation, politicking, marketing, and legal maneuvers), win or stalemate those, then work their way down the list with those precedents in their negotiating back pocket.
[1]: https://www.congress.gov/bill/115th-congress/house-joint-res... [2]: https://techcrunch.com/2017/10/24/congress-votes-to-disallow...