The first time, he makes a big deal about the address in question not being really his, but one he did use for WHOIS registration. I know there are people who have legitimate reasons for hiding their personal address when operating a controversial website, but the solution for that isn't to give a totally bogus address. Or maybe the CSA saw that it had been used as a "private" registration (not knowing it had been subsequently revealed) and assumed it was a relevant secret on that basis? And how is it's Amazon's fault if the address was used to cause the sending of a replacement credit card? Did the scammer rent a room at said hotel and request that the card be sent there?
The second time, he complains about the disclosure of the last purchased item and the shipping address. I'd say that the majority of the time when there's fraud, if the real customer calls in, he'd like to know where the item is actually going so he can include that in his police report. In spite of the scammer's attempt, the agent really didn't give out any useful information about the credit card.
The third time, we don't have a the transcript, so it's possible that the agent read off all the addresses, the AWS username, and all credit-card numbers ever associated with the account. More likely, the agent said, "I'm sorry, I can't give you that information. I can send a copy of your invoice to your e-mail address on file."
Even the last-purchased item is arguably sensitive. What if it's a bulk-pack of condoms, for example? Or (back to Amazon's roots) a book on the list of banned books? I'd encourage Amazon to close that hole, but I'm not sure I have a good solution.