Delta sues CrowdStrike over IT outage fallout

Delta Air Lines filed a lawsuit against CrowdStrike Friday in response to the global IT outage caused by the cybersecurity vendor over the summer.

The lawsuit marks the latest fallout from the CrowdStrike global IT outage that began on July 19. The outage was caused by a defective channel file update resulting from a bug in the CrowdStrike Falcon platform's content validator. The faulty update crashed millions of Windows devices and triggered reboot loops that ultimately required manual fixes. Though Microsoft said only 8.5 million devices were affected, the outage had global impact, causing service disruptions at organizations including hospitals and airlines.

Though it was not the only airline affected by the outage, Delta has perhaps been the most outspoken. Delta hired well-known attorney David Boies shortly after the outage, and in late July, Delta CEO Ed Bastian told CNBC the airline was forced to cancel over 5,000 flights and that the five-day outage cost the company approximately $500 million.

However, CrowdStrike and Microsoft both fired back at Delta, claiming that they repeatedly offered help to the airline but Microsoft was refused and CrowdStrike was ignored.

This back and forth ultimately culminated in a lawsuit, filed on Friday by Delta in Georgia's Fulton County Superior Court. As first reported at the time, Delta's complaint cited $500 million in losses as well as further damages for attorneys' fees, expenses, lost profits both now and in the future, and reputational harm. The lawsuit filed on Friday updated the aforementioned "5,000 flights" figure to over 7,000 flights and 1.3 million passengers affected by the outage.

"Since its founding, CrowdStrike has advertised itself as the cybersecurity industry leader," the lawsuit read. "But on July 19, 2024, CrowdStrike forced untested and faulty updates to its customers, causing more than 8.5 million Microsoft Windows-based computers around the world to crash, preventing many of them from being able to restart (the 'Faulty Update')."

A CrowdStrike spokesperson shared a statement with TechTarget Editorial Monday sharply rebuffing Delta's suit.

While we aimed to reach a business resolution that puts customers first, Delta has chosen a different path. Delta's claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure.

Delta did not respond to TechTarget Editorial's request for comment at press time.

Although CrowdStrike rejected Delta's arguments, it would be fair to say July's outage cast a shadow over CrowdStrike at least in the short time since it occurred. CrowdStrike senior vice-president for counter adversary operations Adam Meyers apologized before the House Committee on Homeland Security in Washington, D.C., for the company's role in the outage.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.