Delta Air Lines Sues CrowdStrike Over July System Meltdown
Lawsuit Compares Botched Software Update to HackingDelta Air Lines filed an acerbic lawsuit Friday afternoon against CrowdStrike that likens the endpoint security vendor's botched July 19 update to hacking.
The Atlanta airliner - by many measures the world's largest - estimates that a days-long Windows computer meltdown instigated by CrowdStrike cost it $500 million, "in addition to future revenue and severe harm to reputation and goodwill." The airliner canceled approximately 7,000 flights over five days.
The lawsuit invokes Georgia state anti-hacking statute to accuse CrowdStrike of "installing an exploit in Delta systems" by automatically rolling out an update affecting the Windows operating system kernel (see: Banks and Airlines Disrupted as Mass Outage Hits Windows PCs).
CrowdStrike circumvented Delta's decision to block the vendor from making automatic updates to its instance of the Falcon endpoint detection and response system, the airliner asserted. "Delta would have never allowed the type of unauthorized and uncertified door that CrowdStrike implemented."
It only took weeks after the mid-July collapse of 8.5 million Microsoft machines worldwide for Delta to telegraph its intention to sue its tech providers for damages. In an August regulatory filing, CEO Ed Bastian said he would sue Crowdstrike and Microsoft - but the lawsuit filed in Fulton County Superior Court squarely blames CrowdStrike for the outages.
The July 19 update did not comply with Microsoft requirements for third-party kernel-level access by not running the update through a certification process checking for flaws, the lawsuit asserts. "Customers like Delta ended up with unverified and unauthorized programming and data running in kernel mode with each new 'content update.'" Estimates of total direct losses caused by the outages stand at more than $5.4 billion.
The lawsuit follows the company detailing in quarterly financial results that the outage cost it $380 million in canceled flights and customer compensation and $170 million in customer and crew expenses.
A preliminary analysis of the incident by CrowdStrike blamed the incident on a flaw in a cloud-based system for testing new updates that ushered through a faulty "template type" despite it "containing problematic content data."
Fuller root-cause analysis of the incident acknowledged that CrowdStrike should have staged the update rather than pushing it out all at once to production. Staged deployment would have allowed the company to limit the number of affected systems.
In an emailed statement, a CrowdStrike spokesperson said Delta's claims are "based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure."
The cybersecurity company previously responded to Delta's litigation threats in a letter stating that it "strongly rejects any allegation that it was grossly negligent or committed willful misconduct" (see: CrowdStrike Rejects Delta's Negligence Claims Over IT Outage).
The lawsuit additionally accuses CrowdStrike of trespass by having "replaced and altered Delta's computer programming or data." Additional counts include breach of contract, intentional misrepresentation, product defect, gross negligence, and deceptive and unfair business practices.
Prepared by law firm Boies Schiller Flexner, the lawsuit seeks to throw back at CrowdStrike assertions about the quality of its software and its compliance with Microsoft conditions for kernel access.
"While CrowdStrike widely touts as part of its published 'business ethics' that 'we [CrowdStrike] do not cut corners' and that '[w]e are honest with our customers,' nothing could be further from the truth. CrowdStrike caused a global catastrophe because it cut corners, took shortcuts and circumvented the very testing and certification processes it advertised for its own benefit and profit," the lawsuit states.
It also takes a swipe at CrowdStrike CEO George Kurtz by noting he was CTO of now-defunct cybersecurity firm McAfee in 2010 when it caused a crash of Windows XP systems through a faulty update that contemporaneous estimates said affected tens of thousands of computers globally. "Staged deployments and testing are basic and standard software development practices, as both CrowdStrike and its CEO are well aware," the lawsuit states.
The cybersecurity company also faces a putative class action lawsuit from investors who allege the company misled them by claiming that its technology was "validated, tested and certified" before the faulty update crashed Windows systems worldwide and sent the company's stock price on a free fall (see: CrowdStrike Faces Class Action Lawsuit Over Global IT Outage).