I think the solution is simple then: The SSN should be used for read-only. Once the credit report is read/accessed, the credit bureau issues a write-only code. The company then deletes the SSN and only retains the write-only code. If the write-only code is leaked later in a hack, it is useless to criminals trying to open new accounts.
That would be similar to the process used by sellers who take cards payment and their PSPs (payment service providers).
Basically, the seller never stores (and ideally never even sees) the buyers' card numbers. Instead, the card numbers are stored by the PSP, which then issues seller-specific tokens associated to each card. The seller can then store the tokens, and use them to process any payments to their verified accounts. If the tokens are ever leaked or stolen they are useless to an attacker, as these tokens can only be used with that specific PSP to perform payments in favour of the seller for whom they were issued in the first place.
They are not periodically running credit checks. If they were, then people with active credit monitoring would be notified, even for "soft" checks.