The Hacker Who Stole a Telco’s Most Valuable Personal Data Without Using a Computer

There are reasons not to believe the following story. Susan Headley, a.k.a. Susy Thunder, was a phreaker and hacker in the 1980’s whose most significant claims to fame are that:

  • she had sex with every member of The Beatles; and
  • she is really good at lying.

When somebody specializes in lying it is wise to be skeptical about everything they say. Nevertheless, this story from a recent biography of Headley by The Verge has a ring of truth to it. I can well imagine a phone company that assumed nobody would have the chutzpah to steal the most sensitive customer data they have by simply removing it from an unlocked cabinet.

Back then, everyone had a landline, but people in the public eye kept their phone numbers out of the Yellow Pages. Susan knew the phone company kept a hardcopy list of those private, unpublished numbers, which phreakers colloquially referred to as a “non-pub file.” For Susan, who had cut her teeth hunting rock stars on the Sunset Strip, a comprehensive index of the personal details of every celebrity in Los Angeles was the ultimate haul. “Just think, you could call any sexy celebrity you wanted to,” she says. It was also enormously valuable.

“Non-pub was the Holy Grail,” she says. “And so it seems that some enterprising female hacker decided to go and acquire [it].” After learning that it was stored on microfiche at a Pacific Bell office in East Los Angeles, she began to regularly case the building. Two or three nights a week, she haunted its dumpsters, digging for castoff microfiche. After four months of coming up empty-handed, Susan decided on a more daring strategy. She would walk right into the building.

First, she found some discarded microfiche at a library, rubber-banded it into one-inch stacks, and stuffed it into her purse. Then, one night, while the cleaning crew was at work, she strode through the office’s front doors and tried a little social engineering. “I said to the cleaning crew that I worked there, and I’m in just for a little while to get some records that I need to work from home,” she remembers. After poking around for 15 minutes, making photocopies of interesting manuals, she found a filing cabinet with small, index-card-sized drawers. Inside were tidy stacks of microfiche. She grabbed a small jeweler’s loupe from her purse and peered at a sheet. Bingo.

She swapped out a section from the back of the drawer with an equally sized stack of library microfiche, slipped it carefully back in place, and left the office as confidently as she had arrived.

Do any readers know if Pacific Bell really did keep phone numbers of Los Angeles celebrities on a special microfiche, or if those numbers were ever stolen? Nobody likes to admit to security failings, but after 40 years it is difficult to argue anyone might lose their job by revealing what really happened. And a good anecdote about the need to lock cabinets might encourage some present-day telcos to improve the security of their buildings too.

The Verge article “Searching for Susy Thunder” can be found here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.