Delta has made good on its promise to sue CrowdStrike after an update knocked the American airline's systems offline, costing as much as $500 million.
On July 19 2024, security company CrowdStrike rolled out an update to its Falcon detection system, but a flaw in the code crashed 8.5 million computers running Microsoft Windows, knocking banks, retailers, and airlines offline.
Delta subsequently canceled more than 7,000 flights, stranding 1.3 million customers, and quickly hired a lawyer, with CEO Ed Bastian saying the company had to "protect our shareholders… our customers, our employees" from the costs of the outage as well as damage to the company's reputation.
In a legal filing, Delta Air Lines said it is seeking compensation as well as punitive damages, pinning the blame for the "catastrophic" outage on CrowdStrike and claiming it "forced untested and faulty updates to its customers".
"If CrowdStrike had tested the faulty update on even one computer before deployment, the computer would have crashed," according to a document filed by Delta at Fulton County Superior Court in Georgia.
"Because the faulty update could not be removed remotely, CrowdStrike crippled Delta’s business and created immense delays for Delta customers."
Delta said the incident was caused by CrowdStrike putting profit above its own customers.
"CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit," the lawsuit added.
CrowdStrike refutes Delta’s claims
CrowdStrike disputed the accusations, pointing out in a statement sent to journalists that Delta was hit harder than other companies, including rival American airlines — a point that is also being investigated by the US Transport Department.
"While we aimed to reach a business resolution that puts customers first, Delta has chosen a different path," CrowdStrike said in a statement.
"Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure."
If the case goes to court, Delta faces a tough challenging proving CrowdStrike should pay damages, according to Dr. Ilia Kolochenko, CEO of ImmuniWeb and cybersecurity practice lead at Platt Law LLP.
"Based on publicly available information about the CrowdStrike incident, it would be an arduous task to prove negligence in this case," said Kolochenko.
"It will probably be a fierce battle of expert witnesses, who will make a lot of money arguing about the applicable standard of care, requisite to test updates of cybersecurity software. Having said this, the negligence claim – and especially punitive damages – rather seem to be a long shot with little to no chances to succeed."
However, Kolochenko believes it makes more sense for both sides to settle the case out of court, as it will be difficult for Delta to prove and CrowdStrike won't want to set a precedent of liability in such instances.
“If parties fail to settle at an early stage and the case is not dismissed, eventually arriving to the discovery stage of trial, new and grossly unfavorable evidence [may] turn up, eventually giving the negligence claim a chance."
What happened with the CrowdStrike outage?
The CrowdStrike outage began on the morning of July 19, 2024, with mass outages reported across a wide field of industries, including news media. Reports began in Australia and India and were quickly followed by the rest of the world as systems came online in the morning.
The incident was caused by an update that CrowdStrike pushed out that contained a memory issue. In the weeks that followed, CrowdStrike was criticized not just for missing the bug in its own quality assurance testing, but for rolling it out en masse rather than in stages.
Within five days, the vast majority of computers impacted by the outage were back online, but that required plenty of work from IT admins, as in some cases computers had to be manually restarted and rolled back to before the update, one by one.
Delta, for example, said it had to manually reset 40,000 servers.
Shortly after, lawsuits began to pile up for CrowdStrike— including from its own shareholders complaining they were misled about how software testing operated at the company, and that the failure hit share prices hard.
A further class action lawsuit was announced on behalf of smaller businesses impacted by the incident, while Delta also said at the time it was considering legal action.
CrowdStrike has apologized for the incident, but denied it failed to do the necessary testing and validation to avoid the bug.
