Delta Air Lines filed a lawsuit against CrowdStrike on Friday evening, alleging a faulty software update in July was catastrophic for the airline, causing it to suffer more than $500 million in losses and harm to its reputation.
The outage triggered a meltdown of Delta’s network, and even as other airlines recovered, Delta passengers around the globe were left stranded and frustrated with 7,000 flight cancellations over five days. For days, travelers slept in airport terminals, including at Hartsfield-Jackson International, and struggled to reach their destinations.
The financial impact to Atlanta-based Delta included about $380 million in lost revenue due to refunds and compensation paid to customers, and about $170 million in expense from the disruption, including reimbursing the expenses of stranded customers and crew costs, according to a filing with the U.S. Securities and Exchange Commission and Delta’s quarterly earnings report.
“CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit,” attorneys for Delta wrote in the lawsuit filed in Fulton County Superior Court. “If CrowdStrike had tested the Faulty Update on even one computer before deployment, the computer would have crashed.”
In the complaint, Delta contends that CrowdStrike is liable to Delta for damages sustained and costs of the suit, including Delta’s lost profits and expenditures and attorneys’ fees, and cites the more than $500 million in out-of-pocket losses “in addition to reputational harm and future revenue loss.” It also seeks punitive damages.
Credit: Credit: John Spink
Credit: Credit: John Spink
“While we aimed to reach a business resolution that puts customers first, Delta has chosen a different path,” a CrowdStrike spokesperson said in a written statement. “Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated (information technology) infrastructure.”
CrowdStrike has previously denied that it was responsible for Delta’s IT decisions and response to the outage and has said its liability to Delta is capped. A top company executive also apologized to Congress in a September hearing and acknowledged letting down its customers.
The July 19 outage, fallout and Delta’s response triggered a U.S. Department of Transportation investigation and lawsuits against Delta and CrowdStrike.
Delta said in a written statement Friday evening: “While CrowdStrike has sought to characterize its actions as simple learning opportunities, the reality is CrowdStrike took shortcuts, circumvented certifications, and intentionally created and exploited an unauthorized door within the Microsoft operating system through which it deployed the faulty update.”
Legal threats
The lawsuit comes three months after the incident, and more than two months after Delta hired Boies Schiller Flexner, a prominent law firm cofounded by litigator David Boies, to pursue claims against CrowdStrike and Microsoft. Boies exchanged letters threatening legal action with attorneys for CrowdStrike and Microsoft.
An attorney for CrowdStrike in August sent a letter to an attorney for Delta saying the airline’s threat of litigation “contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage.”
Michael Carlinsky, an attorney with the firm Quinn Emanuel who represents CrowdStrike, wrote in the letter to Boies that CrowdStrike “strongly rejects any allegation that it was grossly negligent or committed willful misconduct.”
“Your suggestion that CrowdStrike failed to do testing and validation is contradicted by the very information on which you rely from CrowdStrike’s Preliminary Post Incident Review,” Carlinsky wrote.
Carlinsky pointed a finger at Delta, raising questions about the resilience of Delta’s IT infrastructure and its decisions on system upgrades. He noted Delta’s competitors “all restored operations much faster” and said Delta turned down help from CrowdStrike professionals “who assisted many other customers to restore operations much more quickly than Delta.”
His August letter also emphasized that CrowdStrike’s liability is “contractually capped at an amount in the single-digit millions” and that “while litigation would be unfortunate, CrowdStrike will respond aggressively, if forced to do so, in order to protect its shareholders, employees, and other stakeholders.”
In late August, CrowdStrike CEO George Kurtz said on CNBC: “We’d love to work with Delta to find a resolution around this.”
But the filing indicates settlement talks were not fruitful enough to forestall a lawsuit.
Multiple claims
Delta’s allegations include breach of contract, gross negligence, computer trespass, intentional misrepresentation/fraud by omission, liability for a product defect and deceptive and unfair business practices, and is also seeking attorneys’ fees and punitive damages.
In the lawsuit, Delta lists many of the awards it has received and said its cyber threat detection and response was previously “regarded as the best in its class.”
Credit: Credit: John Spink
Credit: Credit: John Spink
The complaint alleges that CrowdStrike circumvented certification processes and that “Delta would have never agreed to such security shortcuts had CrowdStrike disclosed them.”
It also says the update was released to customers without any rollback capabilities, and was not implemented in a staged deployment.
“The media referred to the crashed state as ‘the blue screen of death,’ because the computers would be frozen on a mostly Microsoft-blue screen,” the lawsuit says.
It also said that “for affected Delta computers that could restart, they also had to be remediated manually one at a time and could not be fixed remotely.”
The lawsuit notes that CrowdStrike President Michael Sentonas personally accepted the “Most Epic Fail” award at a Las Vegas Def Con hacking conference in August and said it is “super important to own it when you do things horribly wrong, which we did in this case.”
During the outage, a key problem Delta faced was that its crew tracking system became overloaded and dysfunctional. Delta CEO Ed Bastian said earlier this month that crew tracking system will be updated and moved to the cloud on Amazon Web Services by the end of this year, a move planned before the outage.
About the Author
