Who's doing the fraud? Is it Equifax, which is in good faith recording the information provided by its customers (credit companies, banks, etc)? The credit company that is reporting in good faith to Equifax (or another CRA), but is tying it to the wrong person because an account was fraudulently opened? Is it the person who used stolen ID data to open the account? Is it the thief who originally stole the data?
The US doesn't have a data-protection law, but how can you say their recording of the information is in good faith if they allow unauthorized people to make spurious changes via their systems and security practices?
Those who use the holes in their infrastructure, did you see the story about a database being accessible with default credentials? There is some question of scope for that particular issue, but it bodes duplication in the company's practices elsewhere.
