I'm not an expert on this, so take everything I'm about to say with a grain of salt.
I'm nonetheless pretty sure that, as always, people on Twitter are off base. It's not about anything like an arbitration clause, and more the simple fact that there's no legal mechanism that creates liability in this situation. Traditional negligence wouldn't apply, and I'm not aware of anything else that would create any kind of liability.
In general, if you want to sue someone for negligence, they're off the hook if the harm actually resulted from a third party's actions, even if the defendant's negligence allowed the third party to cause the harm. This is known as a superseding intervening cause. Such a cause has to be reasonably unforeseeable by the defendant for them to be off the hook, of course. In other words, a third-party's act wouldn't let Equifax off the hook if that act was foreseeable. Note that the specific cause doesn't have to be foreseeable, just the type of harm. This is best illustrated in the infamous Flaming Rat Case that most of us read in law school.
The short version is that a guy was cleaning a vending machine with gasoline(!), in a room with an open flame. A rat had apparently taken up residence in the vending machine, and said rat then made a run for it once gasoline started raining down. Unfortunately, the rat's choice of refuge was the heater. It of course caught on fire, then ran back to the original vending machine, which blew up and killed the guy cleaning it. His estate sued the employer for negligence. For our purposes, the important thing is that the appellate court ruled that while the specific facts of the case were doubtless not foreseeable, the general idea that using gasoline near an open flame could result in an explosion was.
So that's the general framework. And of course, it would sound like Equifax would be liable, since I don't think it'd be that hard to get a jury to conclude that someone hacking a company like Equifax is foreseeable.
But as always, there are exceptions. One of those, and AFAIK all jurisdictions in the US have this to some degree, is that an unlawful or intentionally tortious act is per se not foreseeable. The public policy behind this, as I understand it, is to not allow an intentional actor to get off the hook; it's basically a moral judgment that negligence isn't as "bad" as an intentional act, and we want the person who acts intentionally to be the whole who's punished instead. So for example, someone who spills gasoline in a parking lot may be liable if someone else slips in it, or a spark then ignites it and burns someone. That's all foreseeable. However, if someone comes along and deliberately lights the pool of gasoline for the purposes of hurting someone, the original spiller wouldn't be liable.
Turning now to Equifax, this is basically why they're in the clear. Even if they were negligent in terms of data security, someone coming along and stealing from them is an intentional and wrongful act, so Equifax isn't then liable. You'd be left trying to hunt down wherever hacked them.
It's a stupid and unjust result, but is a prime example of the law not catching up with technology.
Since negligence (which is common law, i.e. judge-made) doesn't apply, the only way to make a company liable would be for Congress (or a state legislature) to pass a law creating such liability. HIPAA is a good example of this, since it creates penalties for improperly handling information. That this law was necessary further shows that without a specific statute, there wouldn't be any liability.
To my knowledge there aren't any laws about securing the kind of information held by Equifax (or any of the other thousand companies who've been hacked for that matter). Bruce Schneier wrote an essay about this very fact back in 2003, and it's only become more relevant. Corporations can lobby Congress to continue to allow them to be off the hook, and there's no incentive for Congress to do otherwise since We the People are apparently content with the status quo.