From their forward facing database connected to the web - Yes, it should already be happening since it's been demonstrated time and again, near every security idea put in place, is vulnerable. If there was one common method that wasn't - companies would be moving to it already. Inactive details belong in an air gapped database. Inactive means no third party needs any access to that data, bar the company in case an old customer wants back.
If days of support were like they were thirty years ago plus pre cookie cutter set up, and not much third party processing, there might be a need where the single person needed access to everything. However I don't recall the last time I've ever aimed to get support or answers from billing and the first contact was able to do much, then again if I am making contact when there's an issue, it's typically not on my end.