CrowdStrike Strikes Back on Delta’s Allegations Over Meltdown
Joe Cortez August 06, 2024
Reuters reports that while the IT company apologized to the carrier for the problems, they stand short of accepting full blame for the incident.
CrowdStrike Says They Offered Help, But Got No Response
The CrowdStrike outage on July 19, 2024 brought down airlines and forced a ground order in order to get computer systems back running. While most airlines were able to get services back up quickly, Delta was the one carrier who struggled for days to return to normal service. The incident could end up costing the airline up to $500 million.
After the incident, leadership for Delta told CNBC they hired an outside legal firm to investigate and potentially take both CrowdStrike and Microsoft to court with the hopes of recovering some of their losses. Now CrowdStrike is firing back at those allegations.
In a letter to Delta’s external counsel, attorneys for CrowdStrike once again apologized for the outage, but claimed that the airline’s allegations were completely inaccurate. The letter states that the company is “highly disappointed by Delta’s suggestion that CrowdStrike acted inappropriately and strongly rejects any allegation that it was grossly negligent or committed misconduct.”
The letter goes on to claim that CrowdStrike’s CEO George Kurtz personally reached out to Delta chief executive Ed Bastian to offer his support during the outages, but never received a response. Moreover, the letter claims that Delta declined additional support from CrowdStrike as they worked to return to normal operations.
“Should Delta pursue this path [of litigation], Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions—swiftly, transparently, and constructively—while Delta did not,” attorney Michael Carlinsky wrote in the letter, as quoted by CNN.
No lawsuit has been filed by either party over the crash or outages at Delta Air Lines, and both parties have only made allegations towards each other’s role in Delta’s return to business. Nothing has been proven in a court of law.
Stay up to date with everything Delta Air Lines on the FlyerTalk forums.
I can see both sides of this issue. As a former software QA manager, I believe -- based on the scarce public evidence -- that this is the result of a complete failure in the testing process (maybe CrowdStrike has adopted the all-too-common model of the users being unwilling beta testers). Given the number of large companies affected, it also looks like the update has to have been pushed through without any ability for the end users to test.
On the other hand, it did take Delta an inordinate amount of time to recover, and to hold CrowdStrike 100% responsible seems a bit overboard. Any company nearly 100% dependent on computer technology MUST be prepared to recover from such an incident, and it looks like Delta has failed in this area. I remember a few decades back when American's reservations data base had corrupted pointers and they were down for days, rebuilding the pointers by hand because there wasn't a running backup (which was old technology by then; we were doing it at my employer 15 years before that).
That reminds me -- it's time to test my backups!
I think this is but the first of many lawsuits against Crowdstrike, and likely Microsoft also. And rightly so, as Crowdstrike's error caused extensive damage. Honestly, I can see Crowdstrike go bankrupt, and some competitor come in and buy their tech pennies on the dollar.
Well as somone who has been in the InfoSec world for 30+ years, this is the first of many. Companies once had control over when they would update / upgrade, run new code on a small environment see what happens, yada, yada. but now that the mindset is "Cloud First" and every keystroke that occurs goes to the cloud and back, this was inevetiable.
Ideally Companies need to take responsibility back for the software that they run, but when you put it in the hands of the "Cloud Providers" well... you get what you get, and when multiple companies take the same path then this will happen again and again. Oh yeah the use of the Crowdstrike software is in the name of "Security" keeping the environment safe from the bad guys. Remind me again who are the bad guys???
The cloud is not always your friend, you are responsible for everything that goes to the cloud and all services received from the cloud. There is wording in the contracts that states the end user is ultimatly responsible for cloud interaction. Because of my years in InfoSec, I store nothing in the cloud, I like my home network behind my physical firewalls (I control when the updates occur). Major companies use to have data centers set up like my home network but the bean counters said put it in the cloud we can get rid of xx employees, and here you go.
I do blame Delta here, others were up in hours.
Yep, I see this too. The question is the test of gross negligence as defined by the court and this case will be landmark as it will either determine that software companies have zero liability for doing almost anything, or will be a precedent for software companies being responsible for when their products are marketed and sold in one way even when the license doesn't reflect the same.
Ever software company will try to use the typical 'no warranty' 'no warranty of merchantability' that clearly states that there is ZERO liability, but I think this will be a weaker argument than has been in the past due to the landmark damage and the court will consider that.