Delta Air Lines Launches Lawsuit Against CrowdStrike Over July Outage
On 19 July 2024, millions of would-be airline passengers were told that their flights were cancelled. A software update from cybersecurity firm CrowdStrike caused Microsoft Windows to crash and become unable to restart for subscribers. Those customers included U.S. airlines, which were left with disabled computers that triggered flight cancelations and delays.
Now one of those airlines, Delta, has filed a lawsuit against CrowdStrike, claiming that the firm “forced untested and faulty updates to its customers,” according to the suit. The suit, which was filed on 25 October, also claims that the computer crashes directly led to more than $500 million in out-of-pocket losses, as well as damage to the airline’s reputation. Delta also estimated that it had to cancel 7,000 flights, impacting roughly 1.3 million people during the course of five days.
“For Delta, the faulty update was catastrophic,” the suit said.
Delta, which claims to have been a CrowdStrike customer since 2022, accused the company of breach of contract, gross negligence, deceptive and unfair business practices, and more in the suit. The case was filed after months of finger-pointing between Delta, CrowdStrike, and Microsoft. CrowdStrike and Microsoft were critical of how the airline handled the incident (Delta was one of the worst impacted among airlines) and of its refusal to accept offered help.
The airline is seeking compensation for losses linked to the incident, coverage of litigation expenses, and an award for punitive damages. (Delta Air Lines, Inc., v. CrowdStrike, Inc., Superior Court of Fulton County, 2024)
“Based on publicly available information about the CrowdStrike incident, it would be an arduous task to prove negligence in this case,” noted Ilia Kolochenko, CEO at ImmuniWeb and a partner and cybersecurity lead for Platt Law LLP. “…The negligence claim—and especially punitive damages—rather seem to be a long shot with little to no chances to succeed.”
However, in an emailed statement to Security Management Kolochenko noted that this could change depending on any evidence presented during the course of the trial.
“Nonetheless, most contracts by cybersecurity vendors expressly exclude or cap all such kind of damages, leaving the plaintiff with a nominal victory in court, where plaintiff’s legal and judicial costs are poised to be much bigger than the judgment,” Kolochenko said.
CrowdStrike said that Delta’s suit and claims were based on misinformation, according to The Hill. Further, Delta’s allegations “demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure.”
CrowdStrike filed its own lawsuit on 25 October, claiming Delta’s negligence was the reason for the excessive number of cancellations and delays. After the update was released and caused the crashes, CrowdStrike found the cause and pushed out a fix to customers. “But, in contrast to other major airlines that resumed near-normal levels of operations by the following day…Delta struggled to resume near-normal levels of operations for days,” according to CrowdStrike’s suit.
The firm pointed to its contract with Delta, which includes provisions for limits of liability and exclusion of consequential damages—meaning any damages are excluded.
CrowdStrike’s suit asked the federal court to determine that the firm only owes Delta what is stipulated in its service agreement. (CrowdStrike, Inc. v. Delta Air Lines, Inc., U.S. District Court for the Northern District of Georgia, No. 24-cv-04904-TWT, 2024)
The incident impacted other airlines and other industries, including banks, emergency services, government agencies, hospitals, hotels, railroads, and other organizations. However, the U.S. Department of Transportation has opened an investigation into why Delta took more time to recover compared to other airlines.