Just days after Hawaii descended into panic over a terrifying false missile alert, a recent photo taken at Hawaii's Emergency Management Agency is raising serious concerns over its cybersecurity practices. On Saturday (13 January), over a million Hawaii residents received a mistaken alert regarding a ballistic missile threat on their phones.
The scare comes amid tensions between North Korea and the US over Pyongyang's nuclear programme and continued ballistic missile tests.
The alert, which was also aired on television and the radio, immediately led to a massive scare. Officials took nearly 40 minutes to notify the public about the false alarm, leading many to question what took so long to send out a correction. Authorities blamed the accidental alert on a human error after an employee chose the wrong option from a drop-down menu.
Now, an Associated Press photo taken in July last year at the Hawaii Emergency Management Agency's headquarters has resurfaced on social media, raising major concerns over its digital security protocol.
In the photo, a Hawaii EMA operations officer is seen posing in front his desk along with multiple computer screens at the facility, two of which had yellow Post-It notes stuck to them. Eagle-eyed social media users zoomed in on one of them to find the note actually had a password scrawled on it.
The second note included a reminder for the user to "SIGN OUT".
Although the password and computers in the photo are likely different from the system that sent out the false alarm over the weekend, it does pose questions over employees' approach to security and general practices at the agency.
Hawaii EMA spokesman Richard Rapoza confirmed that the password is authentic, but is used for an "internal application" that he believes is no longer in use. He did not specify the name or purpose of the application in question.
"It wasn't for any major piece of software," Rapoza told Hawaii News Now, noting that it was "not the best practice to have the password in plain view, particularly with reporters and cameras around".
Security experts have long bemoaned the terrible security practices and password habits of regular users, particularly with regards to storing of passwords. Writing down passwords on a piece of paper or having it near one's computer system is a lazy and dangerous practice, experts have warned.
Having a password written and posted in plain sight in an agency that handles the security and safety of millions of people has evoked furore and concerns online. Naturally, the photo is making waves on social media and has already drawn criticism, outrage and ridicule online, particularly from security experts.
It also happens to comes as a new image of a confusing and seemingly outdated interface for the emergency alert system is making the rounds online.
Rapoza told the Verge that the image, posted by Honolulu Civil Beat, is not the actual image of the agency's emergency alert system but is an "acceptable representation" of it. The real image cannot be released to the public for "security reasons", he said.