CrowdStrike Outage Updates , Incident & Breach Response , Legislation & Litigation
CrowdStrike Rejects Delta's Negligence Claims Over IT Outage
Cybersecurity Firm Says Airline Rebuffed Help, Questions Its Incident ResponseCrowdStrike is rejecting claims of misconduct and negligence leveled at it by Delta Air Lines over a faulty software update that plunged the cybersecurity company client into a days-long snafu of canceled flights.
With the airline making legal threats, the cybersecurity vendor is pointedly asking why Delta's competitors recovered so much more quickly.
See Also: Cyber Insurance Assessment Readiness Checklist
The tussle follows a CrowdStrike Falcon endpoint security software "rapid content update" crashing 8.5 million Windows hosts on July 19 that caused global IT chaos by sending Microsoft computers into a blue screen of death loop. Delta, America's second biggest airline, canceled 5,000 flights, disrupting travel for millions.
The Atlanta-based airline has retained high-profile litigator David Boies, who threatened to sue CrowdStrike and Microsoft to recover damages. Delta CEO Ed Bastian told CNBC the outage has cost it $500 million, with 40,000 crashed servers having to be manually reset to get his company back up and running.
CrowdStrike on Sunday responded to Delta's legal threats, saying in a letter it "strongly rejects any allegation that it was grossly negligent or committed willful misconduct," and noting that the airline rebuffed multiple offers of help.
"Delta's public threat of litigation distracts from this work and has contributed to a misleading narrative that CrowdStrike is responsible for Delta's IT decisions and response to the outage," CrowdStrike lawyer Michael B. Carlinsky, co-managing partner at Quinn Emanuel Urquhart & Sullivan, wrote in the letter to Boies, who's chairman of the law firm Boies Schiller Flexner LLP.
"Within hours of the incident, CrowdStrike reached out to Delta to offer assistance and ensure Delta was aware of an available remediation," Carlinsky wrote.
CrowdStrike CEO George Kurtz also directly contacted Delta's CEO "to offer onsite assistance, but received no response," he wrote. After following up further, CrowdStrike was told by the airline "that the onsite resources were not needed." Since then, the cybersecurity vendor has been continuing "to work closely and professionally with the Delta information security team."
Reached for comment, a Delta spokesperson referred back to Bastian's Wednesday CNBC interview, in which he addressed IT investments as well as not asking CrowdStrike to come onsite.
"We build hundreds of millions of dollars of investment in redundancies," he said. "If you're going to be having access, priority access, to the Delta ecosystem in terms of technology, you've got to test this stuff. You can't come into a mission-critical, 24/7 operation and tell us, 'We have a bug.' It doesn't work."
CrowdStrike's legal response followed Boies on July 29 sending letters to both the cybersecurity firm, as well as Microsoft, telling them to prepare for litigation.
Boies wrote to CrowdStrike that the company's faulty update "caused a catastrophic shutdown of many of Delta's most critical systems which, in turn, caused a crippling disruption to Delta's operations," leading to more than a million travelers on Delta suffering flight cancellations and delays, reported The Wall Street Journal, which reviewed copies of the letters.
"The faulty update has severely damaged Delta's business, reputation and goodwill," Boies said.
In a separate letter to Microsoft, Boies reportedly accused the tech giant of building an operating system through which the faulty CrowdStrike software update was able to "access files without the necessary testing, verification and other required prophylactic to protect against system-wide failure in a Windows environment."
The airline's problems appear to have stemmed from a cascade of critical applications failing after the faulty CrowdStrike update crashed its Windows hosts. "Delta has a significant number of applications that use that system, and in particular one of our crew tracking-related tools was affected and unable to effectively process the unprecedented number of changes triggered by the system shutdown," Bastian, Delta's CEO, wrote in a July 21 update to customers.
The U.S. Department of Transportation is investigating the airline's response, including its compliance with U.S. government "passenger protection requirements."
Delta said it's offering refunds for "customers whose travel was disrupted due to a canceled or significantly delayed flight." The airline has also promised to reimburse some types of out-of-pocket expenses incurred from July 19 to July 28 for customers forced to make alternate travel arrangements, "including flight tickets purchased on other airlines in the same cabin of service or lower, train and bus tickets, rental cars and ride shares."
CrowdStrike Questions Delta's Recovery
CrowdStrike in its Sunday letter questioned why Delta took so long to restore its own systems, especially when compared against competitors. American and United also experienced disruption, but were back up and running much more quickly.
The cybersecurity vendor also said that "any liability by CrowdStrike is contractually capped at an amount in the single-digit millions."
Owing to the legal threats, CrowdStrike has demanded that Delta preserve all documents, records and communications pertaining to numerous aspects of its IT program and incident response plans. This includes "all assessments of Delta's IT infrastructure, including any gaps and remediation recommendations, for the last five years, including in the wake of the Channel File 291 incident," as well as full details of all decisions pertaining to upgrading, or deciding not to upgrade, its IT infrastructure.
"While litigation would be unfortunate, CrowdStrike will respond aggressively, if forced to do so, in order to protect its shareholders, employees and other stakeholders," Carlinsky wrote.
Big Fallout
Whether other CrowdStrike customers, or their insurers, will seek to recover damages remains unclear.
Cyber risk analytics platform CyberCube predicted cyber insurers will pay $400 million to $1.5 billion in compensation to policyholders over the outage.
"This event travelled very fast and was very global," Jonatan Hatzor, CEO of cloud outage risk modeler and underwriting agency Parametrix Solutions, told Reuters.
Total losses resulting from the CrowdStrike outage could reach $15 billion, he said.
CrowdStrike is facing a putative class action lawsuit from investors alleging the company misled them by claiming its technology was "validated, tested and certified" prior to issuing the faulty software update (see: CrowdStrike Faces Class Action Lawsuit Over Global IT Outage).
On July 23, CrowdStrike issued a preliminary incident report, which found that internal testing failures, including buggy testing software, failed to prevent the faulty "rapid content update" that caused worldwide disruption. The company has pledged to publish a full root-cause analysis of the event once it wraps its investigation, as well as to overhaul its software testing and distribution practices.