Alert occurred after employer pressed button labelled ‘missile alert’, instead of the one next to it marked ‘test missile alert’

This article is more than 2 years old

This article is more than 2 years old

A false alarm warning Hawaiians of an incoming ballistic missile on Saturday, was reportedly issued because of a “terribly designed” user interface.

The computer system that allows the Hawaiian Emergency Management Agency (HEMA) to send emergency alerts asks employees to select the type of alert that they are sending from a drop-down menu.

Among the options available are two for missile alerts, according to the Washington Post. One is labelled “test missile alert”, which will test the notification system is working without actually sending an alert to the public.

The other is labelled “missile alert”. Selecting that option will send an alert to every mobile phone in Hawaii, warning recipients to “seek immediate shelter” – and specifically noting that “this is not a drill”. That was the option the HEMA employee mistakenly selected.

It was, in fact, a drill. The one-word difference between the two menu options was easily overlooked, and there is only one other difference in the system between the test alert and the real thing: a confirmation prompt, which the employee also clicked through. The employee has been temporarily reassigned, but will keep their job, according to HEMA spokesman Richard Rapoza.

“This sounds like terrible user interface design to me,” said computer security expert Graham Cluley. “Why have the genuine ‘Jeez Louise! Freak out everybody!’ option slap-bang next to one the harmless ‘Test the brown alert’ option?

“Even though the menu option still required confirmation that the user really wanted to send an alert, that wasn’t enough, on this occasion, to prevent the worker from robotically clicking onwards.”

In the days since the alert, HEMA has made a number of tweaks to the computer system to prevent a repeat of the error. It has added a “cancellation button”, allowing users to send a second alert over the same system that notifies recipients that the first was a false alarm. On Saturday, sending that second “false alarm” alert required extraordinary permission, delaying it for 38 minutes.

HEMA has also added a requirement for a second person to confirm the message to be sent, hopefully preventing the first from simply clicking through mistakenly.

“It was too easy — for anyone — to make such a big mistake,” Rapoza told the Post.