Before noticing something strange—a Chase Bank query that shouldn’t have been there—on a calm spring afternoon in 2017, David Mifflin wasn’t too interested in credit reports. He hadn’t submitted a card application. Days later, there was more strange activity. Someone seemed to have gained access to his financial identity through a side door.
When Mifflin contacted the bank in frustration and growing anxiety, he was told that his Social Security information had been used. And, terrifyingly, that was only the start. He was caught up in a vicious loop of calls, fraud alerts, and restless nights for the following two weeks. He repeated the same words over and over: “This isn’t mine. Don’t issue that card, please. Someone has hacked me.
| Key Item | Details |
|---|---|
| Triggering Event | Equifax data breach disclosed in 2017 |
| Number of People Affected | Over 147 million U.S. consumers |
| Root Cause | Unpatched Apache vulnerability and expired SSL certificate |
| Victim Highlight | David Mifflin, San Antonio resident experiencing repeated identity fraud |
| Industry Under Fire | Equifax, Experian, TransUnion |
| Legal Actions | Multiple state AG lawsuits; congressional hearings; class actions |
| Legislative Outcomes Proposed | Free credit freezes; ban on SSNs as IDs; broader consumer access rights |
| Political Figures Involved | Sen. Warren, Rep. McHenry, Sen. Kennedy, AG Maura Healey |
| Ongoing Reforms | Push for real-time freeze tech, transparency in credit data handling |
| Reference Source | EPIC archive: archive.epic.org/privacy/data-breach/equifax/ |
When he found out about the Equifax hack, Mifflin was already spending $26 a month on Experian identity monitoring. For the sole purpose of viewing data that credit companies had been gathering and profiting from without his permission, that came to more than $300 annually. Later, he would tell reporters, “That’s my information,” “I should be able to see it whenever I want—without paying for the privilege.”
More than simply another business error occurred with the Equifax hack, which exposed the personal information of almost half of America’s adult population. It served as a stark reminder that the foundation around which we build our identity had become quite brittle. The disclosure that this attack was caused by an unpatched software bug and an expired security certificate—failures so fundamental they hardly sounded real—was especially harmful.
Following the incident, lawmakers were not only angry but also inspired. Legislation presented by Senator Elizabeth Warren would permanently remove credit freezes. Social Security numbers should no longer be used as identifiers, according to Representative Patrick McHenry. Senator John Kennedy advocated for technologically enabled safeguards that would enable users to freeze or unfreeze credit via an app without incurring fees or causing any inconvenience. “That ought to be a minimum,” he said.
The hearings produced something noticeably bipartisan rather than merely political hyperbole. Legislators from all parties expressed shock that a business could have such influence over people’s financial reputations while providing so few options for redress in the event of a crisis.
The breach meant more to Mifflin than money; it meant a growing sense of powerlessness. Each false query served as a reminder that anyone with the correct numbers might buy, sell, or mimic him. He began receiving calls from debt collectors on charges he was unfamiliar with. Every week, he devoted hours to preventing further harm, only to find that additional attempts had been unsuccessful.
Unfortunately, he wasn’t alone in his predicament. Similar reports of accounts being stolen, loans being fraudulently granted, and lives being upended flooded in from all over the nation. However, the absence of consent was what unites the Equifax case in all of these tales. The majority of Americans never consented to the sale of personal data. They were simply enrolled in a system from which they were unable to withdraw.
One of the first to file a lawsuit was Massachusetts Attorney General Maura Healey. When she sued Equifax, she accused the firm of being careless and reckless. She sent a strong message: “This sector needs reforms. The executives need to answer for their actions. More than thirty other attorneys general started their own investigations after hearing her voice.
Kennedy pointedly questioned an industry executive during a Senate Banking Committee hearing: Why must consumers pay to defend themselves against the very system that puts them at risk? The ensuing stillness was telling.
I recall stopping about this time to go over Mifflin’s testimony—not because I was shocked, but rather because the disparity felt so familiar. With little scrutiny, we have covertly constructed a digital structure around people’s lives and then turned the reins over to private businesses.
TransUnion, Equifax, and Experian do not obtain your permission to collect your information. They package, market, and aggregate it. Additionally, they are fast to offer monitoring services—for a fee—when breaches occur.
According to cybersecurity experts like Chris Hoofnagle of Berkeley Law, anyone may mimic someone else with startling ease thanks to the current credit system. He said, “Someone can pose as you every single second of your life.” It’s not only a privacy concern. It’s a basic problem with the way contemporary finance is set up.
In addition to personal identity, small enterprises were also exposed. The fact that many business owners depend on personal credit to obtain capital was brought to light by Senator Jeanne Shaheen. Not only may a compromised report endanger a person’s financial future, but it can also destroy a whole business.
In response, new legislation is being drafted to force agencies to adopt consumer-controlled, real-time systems, prohibit the use of Social Security numbers, and increase access to credit reports. Some politicians see a time when managing one’s credit identity will be as simple as checking one’s email, thanks to the use of mobile platforms and authentication technology.
Even though these ideas are still being developed, they represent a growing consensus that a reform of the credit reporting sector is necessary. Customers need to be in charge of their data. There should be no cost associated with protection. Furthermore, accountability must be ingrained in the system, not only in the event of an error.
For individuals such as David Mifflin, reform is desperately needed. He had to endure this system’s biggest failure even though he didn’t sign up for it. We may finally be heading toward a more consumer-focused, transparent, and safe credit environment—one in which identity is safeguarded not only by passwords but also by principle—thanks to his voice and many others.
