Correction: A previous headline stated, “Delta sues Crowdstrike, following IT outage.” According to CNBC, Delta intends to seek damages from Crowdstrike. However, no lawsuits have currently been filed.
The world came to a halt last month when a widespread technology outage affected companies worldwide, disrupting emergency services, bringing channels off the air and grounding flights. Delta Airlines faced the brunt of this outage, suffering a $500 million loss after delaying or canceling thousands of flights. Now, they are pursuing potential damages against CrowdStrike, the company responsible for the outage, according to CNBC.
“It was terrible,” Ed Bastian, Delta’s CEO, said. “We are by far the heaviest in the industry with both [Microsoft and CrowdStrike], and so we got hit the hardest in terms of the recovery ability.”
He stated that his company lost money due to canceling flights, compensating passengers and putting stranded travelers in hotels.
CrowdStrike, a cloud-based cybersecurity platform, manages security threats to endpoints by using AI to predict if there is a threat. An endpoint is any physical device that can be connected to a network, including computers, laptops, mobile phones, tablets and servers. It also collects and logs information captured by its sensors on endpoints to analyze the information in the cloud to assist in threat detection and response. One of their products, Falcon, was providing routine security to all Windows machines when it saw a bug in its update that caused the entire system to collapse.
“I want to sincerely apologize directly to all of you for the outage. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority,” said George Kurtz, CEO of CrowdStrike. “This was not a cyberattack,” he clarified.
Since over half of Delta’s Information Technology (IT) systems are Windows-based, the airline’s systems collapsed.
Delta was also one of the slowest airline companies to recover from the outage, drawing the attention of the US Department of Transportation (DOT). Transportation Secretary Pete Buttigieg vowed to help the passengers by enforcing air-travel consumer protection rules.
“We launched an investigation into Delta Air Lines after reports of stranded passengers waiting hours to reach customer service representatives,” he posted on X.
Among other things, the company struggled to check in passengers, track baggage and make pre-flight calculations about the weight and type of aircraft.
This outage is similar to Southwest’s meltdown in 2022 where more than 60% of its flights were canceled within two days. They had to pay $140 million in fines to DOT and incurred $1.1 billion in losses.
“I was stranded in San Francisco because of the outage. However, Delta put me at a hotel and refunded my ticket,” said Aarushi Shah, fourth-year ME. Looking back, she was surprised to know that Delta’s entire system collapsed because of one bug in the update. “I wish they set up a contingency plan to avoid such catastrophes again,” she added.
“All these operations failed because their endpoint computers would not ‘boot up’ and showed the ‘blue screen of death,’” explained Vijay Madisetti, a Professor in the School of Cybersecurity and Privacy (SCP) at Tech.
According to Madisetti, a poor incident response plan made the crisis worse. He believes that CrowdStrike should have adopted a Canary Deployment process where the updates are rolled out in phases to ensure that the bug was identified in time, meaning the global outage could have been avoided.
While talking to CNBC, Bastian said he had “no choice” but to sue CrowdStrike.
“You can’t come into a mission-critical 24/7 operation and tell us we have a bug,” he added.
He also alleged that CrowdStrike support was nowhere to be found during the meltdown.
Delta hired David Boies, chairman of Boeis Schiller Flexner, as its lawyer to pursue the case. He previously represented the US Government in prosecuting Microsoft in the landmark 1997 antitrust case and helped overturn California’s ban on gay marriage.
CrowdStrike is disputing Delta’s claims. Michael Carlinsky, the lawyer representing CrowdStrike, said, “Delta’s lawsuit has contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage.”
He also alleged that the company’s liability is no more than $10 million and asked why Delta was the only carrier so badly affected while others recovered in time. He added that Kurtz offered onsite assistance to Bastian but got no response.
“Should Delta pursue this path, Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions — swiftly, transparently, and constructively — while Delta did not,” Carlinsky added.
Madisetti said that the school of SCP has strong teaching and research programs in cloud-based software development, cybersecurity incident response, training and validation of software for security flaws and DevSecOps, a new field that emphasizes preventing such problems in the future.
All eyes are now on Delta as the company is yet to respond to CrowdStrike’s allegation. The only question on everyone’s mind is if they will pursue this case further.