On Saturday, people in Hawaii woke up to a ballistic missile alert that was accidentally transmitted by a Hawaii Emergency Management Agency (HI-EMA) worker who pressed the wrong option in a drop-down menu. The incident raised questions about the security of an agency tasked to warn residents of serious threats.
Now, an Associated Press image that started circulating across the internet on Tuesday is adding insult to injury. The photo shows a HI-EMA employee standing in front of a desk filled with monitors. On the frame of one display is a Post-it note with writing on it. Zoom and enhance and you’ll see a password written in big letters.
A spokesperson at the agency confirmed to Hawaii News Now that the password is legitimate but was for an “internal application” they believe is no longer in use. The image was originally taken in July 2017 so it’s possible the software was still active when it was first uploaded. Regardless, the photo shows a lack of understanding of security best-practices from an agency tasked to inform millions of a potential threat.
People on social media responded in disbelief, opening discussions about the level of training required of emergency management workers. Writing down passwords is one of the worst security errors you can make. It’s forgivable if you do so in a secret notebook, but broadcasting it to everyone in your office (or in this case, the internet) is inexcusable.
Do you want more cybersecurity training? Because that’s how you get more cybersecurity training. https://t.co/cf4PGECisw
— Crispin Burke (@CrispinBurke) January 17, 2018
Around the time the image was going viral, the HI-EMA published a representation of the system it uses to send out emergency alerts—the same sort of UI that was used when the false missile alert was accidentally transmitted. The interface was criticized for its archaic appearance and confusing layout, leading to another round of harsh questioning from concerned residents.
This is the screen that set off the ballistic missile alert on Saturday. The operator clicked the PACOM (CDW) State Only link. The drill link is the one that was supposed to be clicked. #Hawaii pic.twitter.com/lDVnqUmyHa
— Honolulu Civil Beat (@CivilBeat) January 16, 2018