CrowdStrike Outage Updates , Incident & Breach Response , Legislation & Litigation
Delta Versus CrowdStrike and Microsoft: Accusations Fly
After IT Outage, Firms Question Why Delta's Competitors Recovered So Much FasterDelta Air Lines' legal threats against CrowdStrike and Microsoft over its extended IT outage continue to escalate. The airline is doubling down on demands that the two vendors defray the cost of its outage, characterizing the help offered to date as being too little, too late.
See Also: Cyber Insurance Assessment Readiness Checklist
The disagreement stems from a faulty CrowdStrike software update on July 19 that sent 8.5 million Windows hosts into a tailspin of crashing and rebooting, disrupting numerous organizations globally, including hospitals, stock markets, banks and airlines, including American, United and Delta.
Atlanta-based Delta said CrowdStrike-caused disruptions led to 7,000 canceled flights over five days, and that the cybersecurity vendor and Microsoft are responsible.
"We are pursuing legal claims against CrowdStrike and Microsoft to recover damages caused by the outage, which total at least $500 million," said Ed Bastian, Delta's CEO, in a Thursday regulatory filing.
"An operational disruption of this length and magnitude is unacceptable," Bastian said.
Delta has retained high-profile litigator David Boies to seek damages from CrowdStrike and Microsoft. He wrote to both companies on July 29, telling them to prepare for litigation.
CrowdStrike and Microsoft Reject Accusations
CrowdStrike this week said it "will respond aggressively, if forced to do so, in order to protect its shareholders, employees and other stakeholders," while Microsoft pledged to "vigorously" defend itself against any such litigation.
In a Sunday letter to Boies, CrowdStrike lawyer Michael B. Carlinsky, co-managing partner at Quinn Emanuel Urquhart & Sullivan, said the cybersecurity firm worked "tirelessly" to help customers restore their systems, and offered help multiple times to Delta. He also questioned why the airline took so long to recover, especially compared to competitors American and United, which resumed full operations just a day later. The fault might lie with "Delta's IT decisions and response to the outage," he said (see: CrowdStrike Rejects Delta's Negligence Claims Over IT Outage).
Microsoft this week also rebutted multiple claims by Boies, saying it reached out immediately and repeatedly after the incident, to multiple levels of the organization, offering free help, which the airline repeatedly declined.
"Our preliminary review suggests that Delta, unlike its competitors, apparently has not modernized its IT infrastructure," said Microsoft attorney Mark Cheffo, co-chair of Dechert's global litigation practice, in a Tuesday letter to Boies, reprinted by The Verge.
"Microsoft empathizes with Delta and its customers regarding the impact of the CrowdStrike incident," he said. "But your letter and Delta's public comments are incomplete, false, misleading and damaging to Microsoft and its reputation.
Delta Claims 'Victim Blaming'
As the back-and-forth continues, Delta responded Thursday with a letter, reprinted by the Register, to CrowdStrike's attorneys. Boies accused CrowdStrike of "attempting to blame the victim" by questioning the robustness of Delta's IT infrastructure, saying the company's "operational reliability and customer service has led the airline industry due, in part, to investing billions of dollars in information technology."
He also attempted to recast the airline's days-long outage as resulting from it having trusted CrowdStrike and Microsoft too much (see: CrowdStrike, Microsoft Outage Uncovers Big Resiliency Issues).
"Approximately 60% of Delta's mission-critical applications and their associated data - including Delta's redundant backup systems - depend on the Microsoft Windows operating system and CrowdStrike," he wrote. "Delta's reliance on CrowdStrike and Microsoft actually exacerbated its experience in the CrowdStrike-caused disaster."
Boies, who's chairman of the law firm Boies Schiller Flexner LLP, said that for the airline, the outage "shut down more than 37,000 computers and disrupted the travel plans of more than 1.3 million Delta customers."
Delta said in an regulatory filing it expects to report losses of $380 million due to the IT outage, "primarily driven by refunding customers for cancelled flights and providing customer compensation in the form of cash and SkyMiles," as well as IT outage and operational recovery expenses of $170 million, "primarily due to customer expense reimbursements and crew-related costs."
Delta is one of multiple airlines that earlier this year, under pressure from the Biden administration, pledged to compensate customers for delays, cancellations and other travel disruptions. The U.S. Department of Transportation's Office of Aviation Consumer Protection said it's probing the airline's handling of the disruptions caused by the outage.
Boies disputed CrowdStrike's assertion that it worked "tirelessly" to help customers restore systems, writing that the company's "offers of assistance during the first 65 hours of the outage simply referred Delta to CrowdStrike's publicly available remediation website, which instructed Delta to manually reboot every single affected machine." He also said that while CrowdStrike CEO George Kurtz did reach out to Delta's CEO to offer assistance, it only came four days after the incident began, when "Delta had already restored its critical systems and most other machines," by which point "Delta's operations had fully stabilized to industry norms."
A CrowdStrike spokesperson told Information Security Media Group that "Delta continues to push a misleading narrative."
"CrowdStrike CEO George Kurtz called Delta board member David DeWalt within four hours of the incident on July 19," the spokesperson said. "CrowdStrike's chief security officer was in direct contact with Delta's CISO within hours of the incident, providing information and offering support. CrowdStrike's and Delta's teams worked closely together within hours of the incident, with CrowdStrike providing technical support beyond what was available on the website."
The cybersecurity vendor also pointed to a July 19 LinkedIn post by DeWalt as evidence of the customer support it was providing to Delta. "George and his team have done an incredible job, working through the night in difficult circumstances to deliver a fix. It is a huge credit to the Crowdstrike team and their leadership that many woke up to a fix already available," wrote DeWalt, who formerly served as CEO of McAfee and FireEye.
Testing Problems
Beyond Delta's threats, CrowdStrike faces a putative class action lawsuit from investors who allege the company misled them by characterizing its technology as being "validated, tested and certified," before the faulty software update triggered the global IT outage.
CrowdStrike has moved quickly and publicly to identify the root causes of the incident. It quickly issued a preliminary report saying that bugs in its software-testing processes failed to prevent the faulty update for its Falcon endpoint detection and response software from getting distributed. The company has pledged to overhaul its testing as well as distribute updates to customers in a staged fashion, to better prevent such mass outages, and on Tuesday issued a more robust root cause analysis.
Microsoft said it's reviewing Windows kernel-level access by third-party software, including EDR tools such as CrowdStrike's Falcon. Germany's Federal Office for Information Security, or BSI, said it's been liaising with both CrowdStrike and Microsoft to identify root causes of the outage, including such kernel-level access. The federal security agency said that by the end of 2025, it wants to see Windows gain "new and resilient components designed and implemented offering the same functionality and level of protection as before, but which require less invasive permissions to operating systems."
The BSI said: "This aims to minimize the impact of software errors."