Hackers hit deportation airline GlobalX, leak flight manifests, and leave an unsubtle message for “Donnie” Trump

GlobalX Airlines, a charter airline being used by the US government for deportation flights, has been attacked by hacktivists who have made off with what they claim are detailed flight records and passenger manifests.

The attackers, who claim to be operating under the umbrella of Anonymous, did not just quietly exfiltrate data from the airline assisting with the controversial deportations – they also defaced the company’s website and replaced it with a message:

Alongside the virtually obligatory image of someone wearing a “V for Vendetta”-style Guy Fawkes mask, part of the defaced webpage read:

“Anonymous has decided to enforce the Judge’s order since you and your sycophant staff ignore lawful orders that go against your fascist plans. You lose again, Donnie.”

Of course, there’s little point in defacing a website if nobody notices – and so the hacktivists reached out to journalists, pointing them in the direction of the security breach, and offering a treasure trove of leaked data including:

• flight logs
• passenger lists
• itinerary details spanning months

The leaked details included information about flights used to deport hundreds of Venezuelan migrants, including some who were battling the legality of their deportation from the United States while the planes were already in the air according to a report by 404 Media.

The media outlet says that it has seen data sorted into folders – dated January 19th through to May 1st – containing details that it has carefully verified against official ICE flight logs and court documents.

According to the anonymous hacker. The data was accessed after they found a GlobalX developer’s token and used it to uncover access and secret keys for the firm’s AWS buckets.

In addition to exfiltrating data and defacing the website, the hacker says that they were also able to send internal messages to pilots via a flight ops tool, and even access the company’s GitHub.

The leaked documents suggest GlobalX’s cybersecurity posture was, let’s say, not great. The hackers claim they found a developer token, used it to dig up AWS access keys, and then strolled into the company’s cloud infrastructure. They also say they defaced the website, sent internal messages to pilots via NAVBLUE (a flight ops tool made by Airbus), and even accessed the company’s GitHub.

At the time of writing there has been no official response to news of the security breach from either GlobalX or the US immigration authorities.