CrowdStrike Sues Delta: 5 Key Takeaways
The cybersecurity vendor says in a federal lawsuit over the July IT outage that it ‘certainly did not cause the harm that Delta claims.’
CrowdStrike has filed a lawsuit against Delta over the July IT outage that crippled the airline for days, formally accusing Delta of seeking to “shift blame” for its own failings to the cybersecurity vendor.
The suit filed Friday in the U.S. District Court in Georgia came the same day that Delta filed a complaint against CrowdStrike in Superior Court in Georgia, seeking at least $500 million in damages from CrowdStrike over the incident.
[Related: CrowdStrike Coming Away A ‘Stronger Company’ After Global Outage: CEO George Kurtz]
The coinciding lawsuits came three months after the global Microsoft Windows outage caused by a faulty configuration update from CrowdStrike, which led Delta to cancel approximately 7,000 flights over five days.
“We have filed for a declaratory judgment to make it clear that CrowdStrike did not cause the harm that Delta claims, and they repeatedly refused assistance from both CrowdStrike and Microsoft,” a CrowdStrike spokesperson said in a statement provided to CRN. “Any claims of gross negligence and willful misconduct have no basis in fact.”
What follows are five key takeaways about CrowdStrike’s lawsuit against Delta.
CrowdStrike: ‘Lackluster’ Delta Response
In its lawsuit against Delta, CrowdStrike argued that its July 19 update was not the culprit in the continuance of disruptions at the airline well into the following week. Notably, two other airlines that initially saw significant disruptions from the outage, United and American Airlines, recovered faster than Delta.
Instead, CrowdStrike contended that Delta’s response was “lackluster” in the wake of the outage, and that the airline is now seeking to inappropriately “shift blame” for the entirety of the disruption to CrowdStrike.
Following the faulty update on July 19, “CrowdStrike quickly identified the cause of the issue, remedied it, and pushed out a fix, all within a matter of hours,” the company said in the lawsuit against Delta. “But, in contrast to other major airlines that resumed near-normal levels of operations by the following day, July 20, Delta struggled to resume near-normal levels of operations for days.”
Ultimately, “it was Delta’s own response and IT infrastructure that caused delays in Delta’s ability to resume normal operation, resulting in a longer recovery period than other major airlines,” CrowdStrike said in the suit.
“CrowdStrike in no way acted grossly negligent or committed willful misconduct and certainly did not cause the harm that Delta claims,” the company said.
Outdated IT Systems Alleged
In its filing against Delta, CrowdStrike also reiterated its statement that Delta did not accept offers of help with responding to the outage. Microsoft likewise has previously accused Delta of ignoring offers to help with recovery from the outage, alleging that this was partly due to Delta operating outdated IT systems.
In the lawsuit filing, CrowdStrike offered further details on the issues it believes were behind the elongated recovery process at Delta.
“Delta’s response to the outage and CrowdStrike’s efforts to help remediate the issues revealed technological shortcomings and failures to follow security best practices, including outdated IT systems, issues in Delta’s active directory environment, and thousands of compromised passwords,” CrowdStrike said in the suit.
Additionally, CrowdStrike engineers “detected a custom script running daily on thousands of Delta machines, further indicating that Delta had previously recognized a lack of proper hygiene in its systems,” the company said in the filing. “CrowdStrike did not identify this issue on other customers’ systems, indicating it was unique to Delta.”
Limited Liability Clause Cited
In its lawsuit against Delta, CrowdStrike pointed to the existence of a “clause in the agreement governing Delta and CrowdStrike’s relationship that limits any potential damages.”
“Delta knows its contract with CrowdStrike has ‘limitation of liability’ and ‘exclusion of consequential damages’ provisions, which limit the parties’ liability and excludes any indirect, incidental, punitive, or consequential damages of any kind,” CrowdStrike said in the filing.
In particular, as part of the Subscription Services Agreement reached between CrowdStrike and Delta in June 2022, “CrowdStrike’s liability to Delta for any damages in any way related to the July 19 Incident, if any, is limited to two times the value of the fees,” the company said.
Additionally, “neither Delta nor CrowdStrike are liable to the other for any indirect, incidental, punitive, or consequential damages of any kind related in any way to the July 19 Incident, including, but not limited to, lost revenues, profits, or goodwill,” CrowdStrike said in the filing.
CrowdStrike Seeking Federal Jurisdiction
CrowdStrike said it filed its lawsuit in the district court in Georgia because it believes the court has jurisdiction over the dispute with Delta.
The court has jurisdiction under federal law because “resolution of this action and Delta’s threatened claims and alleged damages against CrowdStrike turn on the Court’s application, interpretation, and determination of a number of federal laws and/or regulations,” CrowdStrike said in its filing.
CrowdStrike pointed to two pending class-action suits involving Delta consumers, who are seeking to receive damages payments from Delta over the flight delays and cancellations in July — in response to which Delta “has invoked and liberally cited to federal law.”
CrowdStrike’s filing asks for the District Court in Georgia to enter judgment against Delta over the matter, including by granting a declaration referencing the contractual limitation of liability in the June 2022 agreement between Delta and CrowdStrike, as well as awarding attorney’s fees.
Delta’s Response To CrowdStrike Suit
In a Delta statement responding to CrowdStrike’s lawsuit provided to CRN, the airline said it rejected CrowdStrike’s arguments as well as the filing of the suit in U.S. District Court.
“We believe this declaratory action and the alleged bases for federal jurisdiction are meritless,” Delta said in the statement Tuesday, adding that it “will file a motion to dismiss promptly and looks forward to vindicating its claims in Fulton Superior Court.”
Delta’s own lawsuit against CrowdStrike said that the airline was seeking damages because it “suffered over $500 million in out-of-pocket losses from the Faulty Update, in addition to future revenue and severe harm to its reputation and goodwill.”
CrowdStrike has pledged to do additional testing and deploy staged rollouts of updates to prevent the recurrence of such outage incidents in the future.
And earlier this month, CrowdStrike co-founder and CEO George Kurtz said during an interview with CRN that overall customer sentiment has been positive in the wake of the July incident, which “underscores the level of trust that we have with the partner community and with our customers.”
“I think customers have really recognized, in the conversations I’ve had, how much trust that we’ve built up over the last decade-plus — how many times we’ve saved them,” Kurtz said during the interview. “Everyone that I’ve interacted with has been very supportive and realized what we’ve built, how we’ve helped them, and obviously, how we responded.”