HEMA’s security issues

Hawaii Ballistic Missile Alert Mistake: A revelation of HEMA’s security issues

by Jane Encarnado on and last update on July 09, 2019

In light of the heated political disputes between North Korea and the United States, a text message sent by the Hawaii Emergency Management Agency (HEMA) left citizens statewide in a panic.


A False Alarm

However, not even an hour afterwards, the warning was quickly retracted. Officials and news sources declared the emergency alert as false approximately 30 anxiety-filled minutes later. Additionally, several accounts of people’s experience during that time were shared on social media.

An example is Sara Donchey’s statement. The local reporter for a Houston, Texas broadcast cites, “This was my phone when I woke up just now. I’m in Honolulu, Hawaii and my family is on the North Shore. They were hiding in the garage. My mom and sister were crying. It was a false alarm, but betting a lot of people are shaken.” Her tweet was accompanied by a screenshot of her phone featuring distressed texts from her mother and sister.

It was also on Twitter where various political figures and institutions took to spreading that the message was indeed untrue. A congresswoman of Hawaii, Tulsi Gabbard, posted her own tweet, announcing that there was no missile and that the information was confirmed by officials. Furthermore, even the U.S. Pacific Command released a message debunking the emergency alert.

Human Error

What caused the incident is an unnamed employee who clicked the wrong option. He was assigned to run an internal test of the missile warning system. However, he accidentally selected the actual emergency alert for an inbound ballistic missile. It was the beginning of the morning shift at HEMA headquarters, 8 A.M. local time.

“This guy feels bad, right. He’s not doing this on purpose—it was a mistake on his part and he feels terrible about it,” Vern Miyagi, the head of HEMA, stated at a press conference.  It was also confirmed that there are no plans to fire the employee. Instead, Miyagi shared that he will be counseled and drilled extensively so it never happens again.

Pictured Mishaps

Furthermore, a screenshot released by Miyagi in response to Governor David Ige’s spokeswoman, Jodi Leong, was found inaccurate. This image was featured on many news outlets as it was thought to be an authentic representation of what the employee saw. It also garnered a number of negative reactions, including Senator Brian Schatz’s simple statement: “This is not the kind of interface you would expect to see for something this important.”

In a turn of events, officials have disclaimed the screenshot’s authenticity. The image seen above was declared as a mere example of what the employee could have seen. Leong expounds on the inaccurate image, “We asked [HEMA] for a screenshot and that’s what they gave us. At no time did anybody tell me it wasn’t a screenshot.”

HEMA justifies that due to security concerns, they cannot publicize a real screenshot of the system, as said by Richard Rapoza, the agency’s public information officer. The screenshot sent to the governor’s office was given without his knowledge. Rapoza acknowledged that HEMA did not handle the request made by Ige’s party well, and so an error was made.

Described as a “more accurate” depiction of what an employee might see, the image HEMA officially released shows a cleaner layout. The worker was supposed to click the PACOM option with the DRILL label; however, he did not click the right action, and instead sent a false missile threat across Hawaii.

Amidst this, a photograph from July has resurfaced and raised some security issues. The picture is of HEMA operations officer posing with computer screens used to monitor hazards at the agency’s headquarters.

A simple computer enhancement revealed that one of the sticky notes actually contains a password. Although the password is unrelated to the accidental alert, netizens have pointed it out and taunted the agency for their lack of concern for confidentiality. As photographed below, the note contains the words: Password; Warningpoint2.

Of course, writing down a password is not a capital offense but it is highly recommended to turn to password managers, or digital protectors of one’s login details. Moreover, a sticky note stuck on a monitor is definitely not secure.

Security Questions

HEMA continues to face heavy criticism and scrutiny about their security procedures. It is important to note that multiple inquiries have already arisen concerning how the situation escalated to this.

On the day itself, senator Mazie Hirono said, “Today’s alert was a false alarm. At a time of heightened tensions, we need to make sure all information released to the community is accurate. We need to get to the bottom of what happened and make sure it never happens again.”

An investigation by the Federal Communications Commission (FCC) is already underway. The chairman of the FCC states, “[Hawaiian authorities] did not have reasonable safeguards or process controls in place to prevent the transmission of a false alert.”

Although no hacks were made, as stated by HEMA, the photograph with the password on a sticky note continues to evoke a series of questions towards the safety customs within the agency’s headquarters. Subsequently, netizens observe that there were several issues with the UI/UX of the system, whether it be the first photo sent by Miyagi or the official second example.


Aside from addressing issues in regards of the HEMA’s system, the Hawaiian government is making moves to console those greatly affected by the blunder.

An excerpt of governor David Ige’s full message to the people:

In the next few days, I will continue meeting with our emergency preparedness team and personally talking with families, individuals and leaders from around our state to ensure we reach every household.

Prospects and Prevention

The situation revealed issues concerning HEMA’s system; therefore, solutions are increasingly being formulated. A better designed user interface could have stopped the employee from selecting the wrong option. Necessary prompts that double-check a user’s intent to continue an option would have helped as well.

Aside from the troubling UI, HEMA’s ability to secure classified information is also being criticized. First, the jumble with the screenshots of what an employee might see. Then the reemerged photograph wherein a sticky note with a password amasses its own set of security threats.

Proper organization of files could have avoided the awkward position of showcasing two different screenshots. Better communication within the institution itself could have prevented this instance. Consequently, switching to more advanced password-keeping methods would have alleviated the need for physically writing it down on a piece of paper.

Convene, a board portal, has a friendly UI to ensure clients a smooth experience with the app. It’s equipped with the fundamental options to run paperless meetings. Furthermore, it has a guaranteed security protocol to ensure the confidentiality of its clients’ discussions and shared materials. Forgotten passwords are also not a problem, as a simple “forgot password” option is available, allowing users to reset their passwords via link sent to their email.

For more questions about Convene, please do not hesitate to contact any convenient office.


Share this article

Experience Azeus Convene