Couldn't customer service just treat all sensitive information like the they treated the last 4 digits of the CC in this scenario? Verify only, reveal nothing. I'm sure almost all legit customers don't have even 5 possible addresses they may have shipped to, make them say what they think it is.
That would be the basic standard to which all CSRs are trained to, and deviating from that is 100% deviating from protocol in almost any case, they do it for individual reasons (speed, a good customer survey, whatever)
When I trained Apple techs the clear communication was that people use pretexting for not just mundane things like credit card theft, but to commit violence against other people (especially in the case of domestic violence where they have some personal details and can try to get more).
Anything but the strategy of verify only is putting people's lives in danger.
