Yeah, in separate databases on separate systems. The network plane of a phone provider should only be able to access a database mapping IMSI -> account ID, and the billing/customer service department should only be able to access a database mapping account ID -> actual account data.

Unfortunately, anything involving phones is based on literally decades of stuff that was made in a time where every participant in the network was trusted by default, and bringing up the legacy compatibility stuff to modern standards is all but impossible.