It's worse than that...
The three major credit reporting agencies *sell* the data they collect. Experian has in the past even run their own spam-for-hire operation. And if an enterprising ID thief has sufficient resources, they can buy large blocks of consumer names, addresses, and social security information - it has been done.
And there is almost no legal protection against these parasites in the USA. The law requires the CRAs to remove derogatory information automatically after a certain period of time, and to place an annotation from the consumer on disputed debts, but unless you have the financial resources of Bill Gates (so that yo ucan take the CRAs to court), there's no enforcement; and a phony "creditor" can renew derogatory information simply by "selling the debt" to another branch of the same company, under a different corporate name, so the only way to really get the info removed is to pay the blackmailer.
I'd be enormously happy if LifeLock and Experian drove each other, and the other 2 CRAs, out of business.