UPDATE
Delta Air Lines is suing CrowdStrike to recover the $500 million in revenue it lost due to the CrowdStrike outage earlier this year, which led to an assortment of issues and disrupted businesses, airlines, healthcare providers, and more.
The cause of the infamous outage that occurred in July was a defective threat intelligence update for the CrowdStrike Falcon Sensor, a cloud-based endpoint detection and prevention software. After investigating the issue, CrowdStrike reported that its engineering team had discovered a bug in the memory scanning prevention policy, a flaw that was not identified during testing stages. That ultimately led to Microsoft servers displaying the “blue screen of death” across the world, and collective disarray in response.
At the time of the outage, Delta reported that it had to cancel thousands of flights — about 7,000 between July 19 and July 24 — affecting 1.3 million customers and prompting multiple class-action lawsuits.
In its Securities and Exchange Commission (SEC) filing, the airline estimated that recovery from the outage would cost around $170 million.
Now, the airline is seeking legal recourse to regain its lost funds, plus punitive damages for the outage.
A Multimillion-Dollar Lawsuit Tests Cyber Liability
Last week, Delta launched a formal complaint against CrowdStrike in a Georgia state court, arguing that the cybersecurity company failed to properly test the Falcon sensor update before deploying, leading to widespread disruption.
“CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit,” Delta said in the lawsuit, which was filed in Fulton County Superior Court in Georgia.
CrowdStrike, however, argues that Delta is operating with “misinformation” and is trying to shift blame for its notably slow recovery from the outage.
“While we aimed to reach a business resolution that puts customers first, Delta has chosen a different path,” a CrowdStrike spokesperson tells Dark Reading. “Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure.”
Indeed, the US Department of Transportation is investigating why Delta took longer to recover from the outage compared with other air carriers. Pete Buttigieg, US transportation secretary, said he also would look into complaints regarding Delta’s less-than-stellar customer service during the outage, which resulted in long waits for assistance and unaccompanied minors stranded at airports.
A CrowdStrike spokesperson told the Associated Press that CrowdStrike attempted to settle these disputes with Delta earlier this year; however, there are disagreements as to how much lost revenue CrowdStrike is liable for, with the security firm arguing that it is less than $10 million.
“We have filed for a declaratory judgment to make it clear that CrowdStrike did not cause the harm that Delta claims and they repeatedly refused assistance from both CrowdStrike and Microsoft,” the CrowdStrike spokesperson adds. “Any claims of gross negligence and willful misconduct have no basis in fact.”
This story was updated at 5:40 p.m. ET on Oct. 28 to reflect comments from CrowdStrike.