Perhaps so they can report you the credit rating agencies if you go into arrears.
If that's the case, it would be an incremental improvement if the credit agencies implemented some tokenization scheme, sort of like credit card gateways do.
Not that anyone should trust the credit agencies either, but you'd still be removing unnecessary points of potential compromise.
I think the solution is simple then: The SSN should be used for read-only. Once the credit report is read/accessed, the credit bureau issues a write-only code. The company then deletes the SSN and only retains the write-only code. If the write-only code is leaked later in a hack, it is useless to criminals trying to open new accounts.
If that's the case, it would be an incremental improvement if the credit agencies implemented some tokenization scheme, sort of like credit card gateways do.
Not that anyone should trust the credit agencies either, but you'd still be removing unnecessary points of potential compromise.