Delta has made good on its promise to sue CrowdStrike after an update knocked the American airline's systems offline, costing as much as $500 million.
On July 19 2024, security company CrowdStrike rolled out an update to its Falcon detection system, but a flaw in the code crashed 8.5 million computers running Microsoft Windows, knocking banks, retailers, and airlines offline.
Delta subsequently canceled more than 7,000 flights, stranding 1.3 million customers, and quickly hired a lawyer, with CEO Ed Bastian saying the company had to "protect our shareholders… our customers, our employees" from the costs of the outage as well as damage to the company's reputation.
In a legal filing, Delta Air Lines said it is seeking compensation as well as punitive damages, pinning the blame for the "catastrophic" outage on CrowdStrike and claiming it "forced untested and faulty updates to its customers".
"If CrowdStrike had tested the faulty update on even one computer before deployment, the computer would have crashed," according to a document filed by Delta at Fulton County Superior Court in Georgia.
"Because the faulty update could not be removed remotely, CrowdStrike crippled Delta’s business and created immense delays for Delta customers."
Delta said the incident was caused by CrowdStrike putting profit above its own customers.
"CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit," the lawsuit added.
CrowdStrike refutes Delta’s claims
CrowdStrike disputed the accusations, pointing out in a statement sent to journalists that Delta was hit harder than other companies, including rival American airlines — a point that is also being investigated by the US Transport Department.
"While we aimed to reach a business resolution that puts customers first, Delta has chosen a different path," CrowdStrike said in a statement.
"Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure."
If the case goes to court, Delta faces a tough challenging proving CrowdStrike should pay damages, according to Dr. Ilia Kolochenko, CEO of ImmuniWeb and cybersecurity practice lead at Platt Law LLP.
"Based on publicly available information about the CrowdStrike incident, it would be an arduous task to prove negligence in this case," said Kolochenko.
"It will probably be a fierce battle of expert witnesses, who will make a lot of money arguing about the applicable standard of care, requisite to test updates of cybersecurity software. Having said this, the negligence claim – and especially punitive damages – rather seem to be a long shot with little to no chances to succeed."
However, Kolochenko believes it makes more sense for both sides to settle the case out of court, as it will be difficult for Delta to prove and CrowdStrike won't want to set a precedent of liability in such instances.
“If parties fail to settle at an early stage and the case is not dismissed, eventually arriving to the discovery stage of trial, new and grossly unfavorable evidence [may] turn up, eventually giving the negligence claim a chance."
What happened with the CrowdStrike outage?
The CrowdStrike outage began on the morning of July 19, 2024, with mass outages reported across a wide field of industries, including news media. Reports began in Australia and India and were quickly followed by the rest of the world as systems came online in the morning.
The incident was caused by an update that CrowdStrike pushed out that contained a memory issue. In the weeks that followed, CrowdStrike was criticized not just for missing the bug in its own quality assurance testing, but for rolling it out en masse rather than in stages.
Within five days, the vast majority of computers impacted by the outage were back online, but that required plenty of work from IT admins, as in some cases computers had to be manually restarted and rolled back to before the update, one by one.
Delta, for example, said it had to manually reset 40,000 servers.
RELATED WHITEPAPER
Shortly after, lawsuits began to pile up for CrowdStrike— including from its own shareholders complaining they were misled about how software testing operated at the company, and that the failure hit share prices hard.
A further class action lawsuit was announced on behalf of smaller businesses impacted by the incident, while Delta also said at the time it was considering legal action.
CrowdStrike has apologized for the incident, but denied it failed to do the necessary testing and validation to avoid the bug.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
OpenAI inks $12bn CoreWeave deal in latest move away from MicrosoftNews Cloud infrastructure company CoreWeave will supply OpenAI with infrastructure to run the firm's latest models in a deal worth nearly $12 billion.
-
Analysts think Microsoft's data center rollback is bad news for the AI boom – but the company says not to worryNews Microsoft has reportedly ended leases for a significant amount of data center capacity, sparking debate over whether the AI boom is starting to falter.
-
Microsoft invests $700 million to bolster cybersecurity and infrastructure in PolandNews Microsoft has announced plans to invest more than $700 million to support AI and cloud infrastructure expansion in Poland alongside cybersecurity support.
-
Data center water consumption is skyrocketing, but Microsoft thinks it has a solution – the company's new closed-loop cooling system consumes zero water and could save millions of liters per yearNews Microsoft has revealed fresh details on its 'closed-loop' data center cooling system, which it says uses zero water.
-
Meta wants to join the big tech nuclear clubNews Meta has become the latest big tech company to explore the use of nuclear energy to power data centers.
-
Microsoft admits users received unexpected upgrades to Windows Server 2025News Admins spotted last week that Windows Server 2022 had suddenly become 2025
-
Windows Server 2025 is now available – but Microsoft warns admins to watch out for three major bugs, including one that causes the dreaded blue screen of deathNews Microsoft promises security, performance, and cloud agility upgrades for Windows Server 2025 — but bugs ruin the party
-
Data centers will be critical to UK economic growth in the coming decade – but researchers have warned of a ‘data doomsday’ unless energy infrastructure is improvedNews With TechUK calling for improved grid connections and easier access to renewable energy, a new study warns that the world's entire electricity supply may not be enough
