Delta Air Lines has taken legal action against cybersecurity vendor CrowdStrike following a global IT outage that occurred over the summer. The lawsuit filed by Delta on Friday is the latest development stemming from the CrowdStrike outage that started on July 19.
The global IT outage was triggered by a defective channel file update that stemmed from a bug in the CrowdStrike Falcon platform’s content validator. This faulty update caused crashes on millions of Windows devices, leading to reboot loops that needed manual intervention to resolve. While Microsoft claimed that only 8.5 million devices were impacted, the repercussions of the outage were felt worldwide, affecting various organizations, including hospitals and airlines.
Among the affected airlines, Delta emerged as one of the most vocal critics of the incident. Immediately following the outage, Delta enlisted the services of prominent attorney David Boies. In late July, Delta’s CEO Ed Bastian stated in an interview with CNBC that the airline had to cancel more than 5,000 flights due to the outage, resulting in an estimated $500 million loss over a span of five days.
In response to Delta’s legal threats, both CrowdStrike and Microsoft defended their actions, asserting that they had offered assistance to the airline, with Microsoft claiming its offers were rebuffed and CrowdStrike suggesting its attempts to help were ignored. These exchanges led to the culmination of a lawsuit filed by Delta in Georgia’s Fulton County Superior Court on Friday.
The lawsuit outlines the financial losses incurred by Delta, estimating damages at $500 million along with additional claims for attorneys’ fees, expenses, lost profits, and reputational damage. The updated figures in the lawsuit revealed that over 7,000 flights and 1.3 million passengers were affected by the IT outage.
In the lawsuit, Delta accused CrowdStrike of pushing untested and faulty updates to its customers, leading to the widespread crash of Microsoft Windows-based computers worldwide. A spokesperson from CrowdStrike responded to these allegations, dismissing Delta’s claims as misinformation and highlighting what they perceive as a lack of comprehension of modern cybersecurity practices on Delta’s part.
Despite CrowdStrike’s rebuttal, the fallout from the July outage has created a shadow over the company, prompting Adam Meyers, CrowdStrike’s senior vice-president for counter adversary operations, to issue an apology before the House Committee on Homeland Security in Washington, D.C.
In conclusion, the legal dispute between Delta Air Lines and CrowdStrike underscores the significant impact that cybersecurity incidents can have on businesses and their operations. The lawsuit brings to light the complexities of safeguarding IT infrastructure in an increasingly digital world, highlighting the crucial role that cybersecurity vendors play in ensuring the resilience of organizations against potential threats and vulnerabilities.