All contract-based telecoms (at least in the US, I can't speak to elsewhere) run credit checks against postpaid customers since they typically involve a financial obligation (2 year contract and/or financing the device)

The obvious follow up question, after they ran the credit report, why do they continue to store your SSN.

They are not periodically running credit checks. If they were, then people with active credit monitoring would be notified, even for "soft" checks.

Maybe to report to collection agencies and credit score bureaus in case of default?

I think the solution is simple then: The SSN should be used for read-only. Once the credit report is read/accessed, the credit bureau issues a write-only code. The company then deletes the SSN and only retains the write-only code. If the write-only code is leaked later in a hack, it is useless to criminals trying to open new accounts.

That would be similar to the process used by sellers who take cards payment and their PSPs (payment service providers).

Basically, the seller never stores (and ideally never even sees) the buyers' card numbers. Instead, the card numbers are stored by the PSP, which then issues seller-specific tokens associated to each card. The seller can then store the tokens, and use them to process any payments to their verified accounts. If the tokens are ever leaked or stolen they are useless to an attacker, as these tokens can only be used with that specific PSP to perform payments in favour of the seller for whom they were issued in the first place.

The big US carriers are post-paid and run credit checks on subscribers.

Not necessarily, I'm on TMO, grandfathered in to an ancient 'unlimited data/100min talk' pre-paid plan (so they have very little on file for me, luckily).

Right, but surely they could run your credit and then throw away the data, right? What interest do they have in holding on to it?

If you stop paying, they want to make a report to the credit agencies.

I think the solution is simple then: The SSN should be used for read-only. Once the credit report is read/accessed, the credit bureau issues a write-only code. The company then deletes the SSN and only retains the write-only code. If the write-only code is leaked later in a hack, it is useless to criminals trying to open new accounts.

Folks haven’t learned that this data is a liability and not an asset.

There's even a prepaid e-sim provider that accepts bitcoin: https://silent.link/

credit checks/verification/enforcement for yearly contracts probably

Credit checks

Why do they need to keep them?

Perhaps so they can report you the credit rating agencies if you go into arrears.

If that's the case, it would be an incremental improvement if the credit agencies implemented some tokenization scheme, sort of like credit card gateways do.

Not that anyone should trust the credit agencies either, but you'd still be removing unnecessary points of potential compromise.

I think the solution is simple then: The SSN should be used for read-only. Once the credit report is read/accessed, the credit bureau issues a write-only code. The company then deletes the SSN and only retains the write-only code. If the write-only code is leaked later in a hack, it is useless to criminals trying to open new accounts.

Alternatively: We don't need post-paid plans. Just do pre-paid for everything and reduce the data you keep.

Going to collections over $50 is stupid.