[danjoc]

Step 3 is the insidious part. If Alice files a paper with the reporting agencies, they're required to remove the false report. But the collection agency will just as persistently file an equal but opposite paper to reinstate. The reporting agency is legally caught in the middle of he said, she said. And if asked for proof? The collection agency says BigBank told them Alice owed it, and sold them that debt. So now the originator of the loan has harmed the collection agency as well as Alice.

Don't kill the messenger. The credit reporting agencies are doing what they are obligated to do in that business. There needs to be penalties for BigBank beyond the money BigBank lost in the scam perpetrated by criminal.

Blaming the credit reporting agencies for bad credit reports is intellectually lazy. Blaming them for garbage computer security is much more appropriate in this story. A more interesting discussion here would be about the technical details of the hack.

[kamaal]

If the credit reporting agencies wishes no responsibility then for all practical purposes they are a database table, nothing more. In that case they must offer their services on the same lines as AWS or Google Cloud. That is guarantee is only on infrastructure uptime and availability and not the quality of information. Note even in this case, a level of liability regarding security is on them.

If you wish to provide a service with a level of guarantee, responsibility and liability comes along with it.