| Both companies file lawsuits following major IT outage |
Delta Air Lines and cybersecurity firm CrowdStrike are embroiled in a legal battle following the significant IT outage in July, which impacted millions of computers globally and led Delta to cancel around 7,000 flights within a single week. This event prompted both companies to sue each other, seeking to establish fault and financial responsibility.
Delta initiated legal proceedings in Fulton County Superior Court, Georgia, accusing CrowdStrike of both negligence and breach of contract. The airline claims that despite disabling automatic updates, a flawed software update from CrowdStrike’s Falcon software infiltrated its systems. This incident allegedly resulted in a $380 million drop in revenue for Delta, along with an additional $170 million in operational costs, highlighting the financial impact of the outage.
CrowdStrike, on the other hand, retaliated with its own lawsuit in the U.S. District Court of Georgia. The cybersecurity company is seeking a judicial declaration that limits any financial liability to the terms outlined in its service agreement with Delta. In its defence, CrowdStrike contends that Delta’s damages were mainly due to the airline’s own negligence rather than any fault of the cybersecurity firm’s software.
The dispute between the two companies has been brewing publicly since the mass cancellations occurred. Shortly after the outage, Delta enlisted David Boies from the law firm Boies Schiller Flexner to help pursue damages from both CrowdStrike and Microsoft. The airline is demanding compensation to cover not only its financial losses but also the litigation expenses and punitive damages associated with the incident.
In Delta’s complaint, they argue that CrowdStrike’s decision to bypass essential testing and certification protocols led directly to the crisis. According to the airline, even a minimal test of the problematic update on a single computer could have revealed the critical flaws, preventing the subsequent widespread damage. Delta further alleges that CrowdStrike’s Falcon software created an unauthorised entry point within Windows, something they would never have permitted under standard circumstances.
Delta CEO Ed Bastian expressed a firm stance during a recent interview, emphasising that full compensation for the chaos created by the outage is both necessary and justified. Meanwhile, CrowdStrike CEO George Kurtz has publicly apologised for the situation, and the company has pledged to revise its operational methods to avoid similar problems in the future. In August, CrowdStrike adjusted its financial outlook for the year, factoring in a customer compensation plan linked to the outage.
A spokesperson for CrowdStrike criticised Delta’s approach in an email to CNBC, stating that the airline’s accusations were based on debunked misinformation and showed a fundamental misunderstanding of modern cybersecurity practices. They suggested that Delta’s actions were merely a desperate attempt to deflect attention from its own outdated IT systems, which had contributed significantly to the slow recovery from the outage.
As part of the ongoing fallout, Microsoft has engaged in discussions with CrowdStrike and other security software vendors about potential improvements. These talks took place during a summit in September, aimed at enhancing endpoint security and preventing similar disruptions in the future.
