Delta Hits ‘Inadequate’ CrowdStrike Apology, Reveals $380M Hit To Revenue

CrowdStrike’s 'apology alone in these circumstances is vastly inadequate,' Delta’s attorney said in a letter Thursday.

Delta Air Lines and CrowdStrike’s war of words over responsibility and compensation concerning the July 19 faulty update that downed about 8.5 million Microsoft Windows machines continues to unfold publicly with well-known attorney David Boies, representing Delta, firing back at CrowdStrike in a new letter.

In the letter, dated for Thursday and shared with CRN, Boies said that CrowdStrike’s “apology alone in these circumstances is vastly inadequate, and when accompanied by misstatements and attempts to shift the blame to Delta of doubtful sincerity.”

The letter is signed by Boies and addressed to attorney Michael Carlinsky – who is representing CrowdStrike and previously sent Atlanta-based Delta a letter saying that the Austin, Texas-based security vendor “strongly rejects any allegation that it was grossly negligent or committed willful misconduct.”

Boies said that Delta is “still working to understand the full extent of what CrowdStrike did (and didn’t do) that resulted in the disaster that everyone in the world other than CrowdStrike seems to know occurred.”

Delta Says Incident Cost $380M

“Rather than continuing to try to evade responsibility, I would hope that CrowdStrike would immediately share everything it knows,” Boies said. “It will all come out in litigation anyway. If CrowdStrike genuinely seeks to avoid a lawsuit by Delta, then it must accept real responsibility for its actions and compensate Delta for the severe damage it caused to Delta’s business, reputation, and goodwill.”

On Thursday, Delta also revealed in a regulatory filing that it saw a $380 million direct revenue cost from the faulty CrowdStrike update.

Delta CEO Ed Bastian said in the filing that Delta is “pursuing legal claims against CrowdStrike and Microsoft to recover damages caused by the outage, which total at least $500 million.”

When asked by CRN for comment, a CrowdStrike spokesperson said in a statement that “Delta continues to push a misleading narrative." The spokesperson also described steps the security vendor took to help the airline during the outage.

Like CrowdStrike, Microsoft sent a letter to Delta. In the letter, the tech giant alleged that “Delta likely refused Microsoft’s help because the IT system it was most having trouble restoring—its crew-tracking and scheduling system—was being serviced by other technology providers, such as IBM, because it runs on those providers’ systems, and not Microsoft Windows or Azure.”

When asked by CRN about Delta’s regulatory filing and letter to CrowdStrike, a Microsoft spokesperson referred to the Redmond, Wash.-based tech giant’s letter to Delta.

CRN has asked Delta if it sent a response letter to Microsoft.

Delta Responds To CrowdStrike Letter

In Delta’s response to CrowdStrike, Boies said that calling the effects of the faulty update an “incident” or “outage” minimizes “the international disaster it (CrowdStrike) caused.” He said this minimization “surprised and disappointed” Delta and accused CrowdStrike of trying “a ‘blame the victim’ defense.”

Boies’ resume includes representing the U.S. in its historic antitrust case against Microsoft as well as representing defunct health technology company Theranos and disgraced Hollywood producer Harvey Weinstein.

CrowdStrike’s attorney, Carlinsky, has notably represented insurance company AIG, financial services firm Morgan Stanley and artificial intelligence software company C3 AI, according to his website.

The faulty update “shut down more than 37,000 computers and disrupted the travel plans of more than 1.3 million Delta customers,” Boies said in the letter. "Thousands of crew members” were “dislocated from their scheduled assignments for an extended period of time.”

“There is no basis – none – to suggest that Delta was in any way responsible for the faulty software that crashed systems around the world,” according to the letter. “When the disaster occurred, dedicated Delta employees across the company worked tirelessly to recover from the damage CrowdStrike had caused. Their efforts were hindered by CrowdStrike’s failure to promptly provide an automatic solution or the information needed to facilitate those efforts.”

Boies said that “it is CrowdStrike’s conduct, and CrowdStrike’s conduct alone, for which CrowdStrike is liable.”

The attorney said that CrowdStrike’s actions rise to the level of “gross negligence or willful misconduct.” The contract with Delta “does not cap liability or damages for gross negligence or willful misconduct.”

Boies alleged that CrowdStrike’s preliminary post incident review (PIR) and root cause analysis (RCA) back this up. The PIR said “that CrowdStrike did not properly validate or test the Faulty Update, relying instead on tests of other earlier-released components of its Falcon system,” according to Boies.

The RCA said that had CrowdStrike “maintained basic software development, testing, and validation procedures, the July 19 disaster from the Faulty Update would not have occurred.”

He also alleged that CrowdStrike did not have a “staged rollout to mitigate risk” and did not have “roll-back capabilities.” CrowdStrike’s automated fix offered on July 21 “introduced a second bug that prevented many machines from recovering without additional intervention,” Boies alleged in the letter.

“Your position disregards the massive impact that CrowdStrike’s conduct has inflicted on Delta, its customers, and its people,” Boies said.

Helping Delta

CrowdStrike and Delta appear to differ on their version of events that happened during the outage.

Boies said that CrowdStrike’s help in the first 65 hours of the incident was merely referring “Delta to CrowdStrike’s publicly available remediation website, which instructed Delta to manually reboot every single affected machine.”

Boies called a “single offer of support” from CrowdStrike CEO George Kurtz to Delta CEO Ed Bastian the evening of July 22 “unhelpful and untimely.”

“When made—almost four days after the CrowdStrike disaster began—Delta had already restored its critical systems and most other machines,” Boies said. “Many of the remaining machines were located in secure airport areas requiring government-mandated access clearance. By that time Delta’s confidence in CrowdStrike was naturally shaken.”

In CrowdStrike’s emailed statement to CRN, a spokesperson said that Kurtz “called Delta board member David DeWalt within four hours of the incident on July 19th.”

“CrowdStrike’s Chief Security Officer was in direct contact with Delta’s CISO within hours of the incident, providing information and offering support,” the spokesperson said. “CrowdStrike’s and Delta’s teams worked closely together within hours of the incident, with CrowdStrike providing technical support beyond what was available on the website.”

The spokesperson referred to a LinkedIn post by DeWalt that said “George and his team have done an incredible job, working through the night in difficult circumstances to deliver a fix. It is a huge credit to the Crowdstrike team and their leadership that many woke up to a fix already available.”

DeWalt is the founder and CEO of investment firm NightDragon. His resume includes multiple leadership positions in the security space ranging from vice chairman of ForgeRock to CEO of FireEye to CEO of McAfee, according to his LinkedIn account.

Delta also pushed back against criticisms of its IT and its response to the outage. “For the last several years, including prior to and following its recovery from the Faulty Update, Delta’s operational reliability and customer service has led the airline industry,” Boies said. “Delta has achieved its industry-leading reliability and service due, in part, to investing billions of dollars in information technology.”

The airline blamed an overreliance on CrowdStrike and Microsoft as a reason it took longer to come back online compared to other airlines affected by the faulty update.

About “60 percent of Delta’s mission-critical applications and their associated data—including Delta’s redundant backup systems—depend on the Microsoft Windows operating system and CrowdStrike,” Boies said in the letter. “Delta has long regarded CrowdStrike and Microsoft as reliable technology providers. Delta’s reliance on CrowdStrike and Microsoft actually exacerbated its experience in the CrowdStrike-caused disaster.”

Delta’s $380M Loss

Meanwhile, also on Thursday, Delta revealed in a regulatory filing that the cost during its September quarter was “primarily driven by refunding customers for cancelled flights and providing customer compensation in the form of cash and SkyMiles.”

“An operational disruption of this length and magnitude is unacceptable, and our customers and employees deserve better,” CEO Bastian said in the filing. “Since the incident, our people have returned the operation to an industry-leading position that is consistent with the level of performance our customers expect from Delta.”

Delta said in the filing that the outage caused about 7,000 flight cancellations over five days. It put a $170 million price tag on “non-fuel expense associated with the technology-driven outage and subsequent operational recovery.”

That cost was “primarily due to customer expense reimbursements and crew-related costs.”

The airline noted that its fuel expense for the quarter “is estimated to be $50 million lower” due to the cancellations. That lowered expense “impacted projected year-over-year September quarter 2024 capacity growth by approximately 1.5 points,” according to Delta.