5 Things To Know On Delta’s Lawsuit Against CrowdStrike
Delta is seeking unspecified damages in connection with the CrowdStrike-caused IT outage in July, which cost the airline more than $500 million in out-of-pocket losses, according to the complaint.
Delta is seeking significant damages from CrowdStrike in connection with the July IT outage caused by the cybersecurity vendor, which cost the airline more than $500 million in immediate losses as well as additional harms, according to a lawsuit filed by Delta.
The complaint filed Friday in Georgia, where Delta is based, comes three months after the global Windows outage that led the airline to cancel approximately 7,000 flights over five days.
[Related: CrowdStrike-Microsoft Outage: Complete Coverage]
CrowdStrike’s defective July 19 Falcon configuration update sent 8.5 million Microsoft Windows devices into a “blue screen of death” state, causing disruptions to health care, banking and business in addition to affecting air travel.
“CrowdStrike committed a series of intentional and grossly negligent acts that caused the global IT outage on July 19,” Delta said in a statement provided to CRN. “While CrowdStrike has sought to characterize its actions as simple learning opportunities, the reality is CrowdStrike took shortcuts, circumvented certifications, and intentionally created and exploited an unauthorized door within the Microsoft operating system through which it deployed the faulty update.”
Two other airlines that initially saw significant disruptions from the outage, United and American Airlines, recovered faster than Delta, however.
The 36-page complaint, which was filed by the law firm Boies Schiller Flexner, was slammed by CrowdStrike as an effort to shift the blame. Both CrowdStrike and Microsoft have previously contended that Delta did not accept offers of help with responding to the outage.
What follows are five things to know about Delta’s lawsuit against CrowdStrike.
Breach Of Contract, Negligence Claimed
The lawsuit filed by Delta levels a range of accusations against CrowdStrike, including breach of contract and negligence. The suit goes so far as to suggest that “CrowdStrike breached its contractual promises in an intentional manner—or in a manner that was no less than grossly negligent” in connection with its update deployment process.
This included rolling out the Falcon update on July 19 “without minimal testing [or] routine quality and assurance” and “without staged deployments, including installing the Faulty Update onto Delta’s computers without its knowledge or consent.”
The update was also deployed “without any rollback capabilities,” Delta said in the suit.
CrowdStrike maintains that it has been documented that the update was rolled back, or "reverted," in 78 minutes.
Previously, CrowdStrike has pledged to do additional testing and deploy staged rollouts of updates to prevent the recurrence of such incidents in the future.
CrowdStrike Fires Back
In a statement responding to the complaint, CrowdStrike suggested that Delta bears significant responsibility for the disruptions it faced in the wake of the outage.
“While we aimed to reach a business resolution that puts customers first, Delta has chosen a different path,” CrowdStrike said in the statement. “Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure.”
In August, CrowdStrike had said that it attempted to assist the airline with recovering from the outage, but the offer was not accepted.
Microsoft likewise accused Delta of ignoring offers to help with recovery from the outage, alleging that this was partly due to Delta operating outdated IT systems.
Range Of Damages Sought
While Delta did not specify a dollar amount for the damages it is seeking in its lawsuit, the airline pointed to several types of damages it believes are owed over the incident.
“Delta estimates that it suffered over $500 million in out-of-pocket losses from the Faulty Update, in addition to future revenue and severe harm to its reputation and goodwill,” the airline said in the complaint.
In addition to seeking “an award of money damages compensating Delta for the losses it has suffered as a result of CrowdStrike’s Faulty Update,” the airline is also seeking litigation expenses (including attorney fees) as well as an award of punitive damages.
Delta believes it is “entitled to an award of punitive damages in an amount necessary to punish, penalize, and deter such conduct,” according to the complaint.
Lack Of Testing Cited
In the complaint against CrowdStrike, Delta emphasized what it called “inadequate software testing” that led to the July 19 incident.
“While CrowdStrike widely touts as part of its published ‘business ethics’ that ‘we [CrowdStrike] do not cut corners’ and that ‘[w]e are honest with our customers,’ nothing could be further from the truth,” Delta said in the lawsuit. “CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit.”
“If CrowdStrike had tested the Faulty Update on even one computer before deployment, the computer would have crashed,” the airline said in the complaint.
Kernel Updates Questioned
A lengthy section of the complaint is devoted to examining the issues surrounding updates that impact the Windows kernel, which is the core control center for the Windows operating system. Kernel access has been pinpointed as a key factor in the July outage.
CrowdStrike has previously shared technical details of kernel access and its Microsoft certification process here in this blog. It is also publicly available in the Root Cause Analysis.
In the lawsuit, Delta alleged that “CrowdStrike never told its customers that to detect and prevent cyberattacks, CrowdStrike would exploit its privileged kernel-level access in order to insert untested and uncertified programming or data.”
“While CrowdStrike swore to protect its customers’ computer systems, networks, and programs, CrowdStrike circumvented and bypassed the controls and protections the developers of those systems created,” Delta said in the suit. “CrowdStrike leveraged its expertise gained from crowdsourced information, to maintain an exploit of the Microsoft OS for its own expediency.”
CrowdStrike ultimately “knew that these unauthorized alterations and hacking of kernel-level controls and protections would upset and potentially damage CrowdStrike’s customers, and it thus hid these tactics from customers, including Delta,” the airline said in the complaint.
For its part, CrowdStrike has said the July 19 update did not bypass Microsoft’s “clear kernel review process” for Windows. It has said the update was a “rapid response content update”—and “these updates don’t execute code in the kernel."
In response to the July incident, CrowdStrike also disclosed that it has since overhauled its approach to deploying threat-related content updates to ensure that even routine configuration changes go through rigorous testing and staging.