The rash of flight disruptions that made news in July has led to a finger-pointing duel between airline Delta and security provider CrowdStrike, with each accusing the other of negligence. The two companies publicly traded accusations of blame in the immediate wake of the incident, as Delta canceled over 7,000 flights in the week of July 19 due to its IT outage.
Each party is seeking damages, and Delta has additionally included Microsoft in its lawsuit. The incident stemmed from a vulnerability in CrowdStrike’s Falcon software, but CrowdStrike maintains that Delta’s issues stemmed from moving too slow during its containment and recovery.
Delta seeks damages for IT outage caused by CrowdStrike update, CrowdStrike counter-sues over Delta’s response
The incident began with a flawed update to CrowdStrike’s Falcon software, issued on July 19. The errant update caused “blue screens of death” on millions of Windows systems across the world, in a broad variety of industries. Airlines were particularly hard-hit, however, due to common use of the software across the industry for public-facing elements from check-in systems to flight boards.
Over 5,000 flights were canceled worldwide on the day of the update, and issues continued for about a week. Delta was the hardest-hit of the US airlines, with its IT outages lingering for days and stranding numerous passengers. Some were stuck at its Atlanta hub for days as hotels, rental cars and public transportation options in the immediate area were overwhelmed by the chaos. On July 21, Delta’s CIO issued a public statement indicating its ongoing outage was caused by spiraling damage in its internal systems initiated by the sudden shutdown and that it was struggling to process a backlog of updates and to get eligible crew members to the right places to get flights off the ground. Normal operations were not fully restored until July 25, while most other airlines had adequately recovered within the first two days.
As early as late July, Delta CEO Ed Bastian was threatening CrowdStrike with a lawsuit to recoup some of its estimated $500 million in losses from the flight disruptions. With that now officially underway, CrowdStrike has filed its own suit pointing to Delta’s slow recovery relative to other carriers and the fact that the United States Department of Transportation has opened a consumer rights investigation into the airline’s response. Bastian was also criticized for taking a first-class flight to Paris on July 24 to attend the Paris Olympics as the company was still recovering, and in August consumers filed a class-action lawsuit pinning the blame on Delta’s “failed” recovery efforts.
Delta claims flight disruptions should have never happened
Though Delta has been raked over the coals by the general public over the IT outage, the company’s case seems to hinge on its claim that it had shut down automatic CrowdStrike updates yet the faulty update somehow “got through” anyway. Had it not, the company claims the flight disruptions would not have happened.
Delta is accusing CrowdStrike of breach of contract and negligence and is shooting for having the security firm foot the entire $500 million bill of losses. CrowdStrike’s suit claims that it only owes the airline what is provided for in its service agreement, which would likely limit the decision to some costs incurred during the initial shutdown on July 19, and seeks only legal fees beyond that. Delta is also seeking damages from Microsoft due to the IT outage stemming from a Windows shutdown.
Delta additionally points out that CrowdStrike had not adequately tested the faulty patch before deploying it, something that is documented. As to how it circumvented the fact that updates were disabled, Delta claims that the Falcon software created an unauthorized back door in Windows that the airline was not aware of. CrowdStrike says that this claim is based on misinformation and Delta’s misunderstanding of how cybersecurity works, and has also said Delta refused assistance from both it and Microsoft.
For its part, CrowdStrike senior vice president Adam Meyers apologized for the IT outage before Congress in late September and said that the company has undergone a full review of its systems and an upgrade to its content update procedures.
One other element that might help Delta’s case is that CrowdStrike did not roll out the faulty update in stages, causing immediate shutdowns for about 8.5 million computers around the world. However, CrowdStrike counters with the fact that it was in constant communication with Delta and offering assistance from the beginning of the flight disruptions, and that it observed inadequacies in the airline’s response and IT infrastructure that contributed to the unusually prolonged IT outage. The security firm also characterized that infrastructure as “antiquated.”
Richard Bird, Chief Security Officer, Traceable, is of the opinion that general public sentiment toward Delta has it right and that CrowdStrike will ultimately prevail: “Delta’s lawsuit against Crowdstrike feels like a “self-own” once you dig into the details. Every solution provider and customer agrees to liability terms when they agree to work together. Delta isn’t pursuing a contract remedy here – they are calling Crowdstrike negligent when it is clear in their own court filings that Crowdstrike was a catalyst and the root cause for the outage was antiquated technology and a completely non-functional business recovery plan. Delta failed when it came to resiliency and would have at some point with or without Crowdstrike’s help.”