Last summer, a monumental outage caused by cybersecurity firm CrowdStrike sent shockwaves across multiple industries, from airlines to financial services. Now, following Delta Air Lines’ lawsuit to recover its losses, a federal judge has cleared the way for Delta to proceed. This decision comes after CrowdStrike’s own president admitted the company made a significant error.
CrowdStrike’s July 2024 outage has been dubbed the largest IT failure in history, impacting millions of devices running on Microsoft Windows. The incident was triggered by a flawed software update that somehow met crowd validation but contained problematic data. Consequently, the infamous Blue Screen of Death appeared on countless computers globally.
How Much Did the Outage Cost Major Companies?
The financial repercussions of this event are staggering, with estimates suggesting that U.S. Fortune 500 companies lost a collective $5.4 billion. Among these companies, Delta Airlines faced the most severe financial hit, reporting around 7,000 canceled flights and approximately $550 million (€521 million) in lost revenue and additional costs. Interestingly, Delta managed to save $50 million (€47 million) in fuel expenses by canceling these flights, but that was a small consolation for the losses incurred.
What Happened After Delta Filed the Lawsuit?
Delta filed its initial lawsuit against CrowdStrike just three months after the disastrous event. While CrowdStrike attempted to get the case dismissed, Judge Kelly Lee Ellerbe of the Fulton County Superior Court ruled that Delta can try to prove CrowdStrike’s gross negligence. The judge pointed out that Delta specifically claimed that if CrowdStrike had taken the time to test the July update on a single computer, the crucial programming error would have been caught.
Does Delta Have a Valid Claim Against CrowdStrike?
According to reports, the judge also granted Delta the right to pursue a claim for unauthorized computer access, as they argued that CrowdStrike had falsely assured them that no unauthorized back doors would be added to their systems.
CrowdStrike, on its part, argues that Georgia law limits Delta’s ability to recover damages through tort claims. Additionally, CrowdStrike has suggested that Delta was an “outlier,” claiming that their own systems exacerbated the situation. They noted, “Although Delta acknowledges that it took just hours — not days — for Delta employees to fix the outage, cancellations far exceeded the flight disruptions its peer airlines experienced.”
How Did Other Airlines Manage the Outage?
While Delta struggled significantly, other airlines recovered more swiftly. For instance, United Airlines managed to cancel only about 1,500 flights amidst the same outage. A key factor in Delta’s extended recovery appears to be its substantial reliance on its Atlanta hub. CrowdStrike’s attorney, Michael Carlinsky, pointed out that Delta needs to evaluate its IT structure’s design and operational resilience.
What Were CrowdStrike’s Responses Post-Outage?
Shortly after the incident, CrowdStrike attempted to make amends by sending out $10 (€9) apology gift cards for UberEats, which unfortunately didn’t function correctly. Notably, just following Carlinsky’s letter to Delta, CrowdStrike’s president, Michael Sentonas, attended the Pwnie Awards to accept the “Most Epic Fail” recognition for the company’s handling of the outage. Sentonas openly acknowledged the failure: “It’s super important to own it when you do things horribly wrong, which we did in this case.”
This candid admission was even referenced in Judge Ellerbe’s decision, highlighting Sentonas’ acknowledgment of their significant misstep. Carlinsky, however, believes that the judge may dismiss Delta’s case or only award damages in the “single-digit millions” range.
While this ruling represents a partial victory for Delta, the airline still faces challenges. Recently, U.S. District Judge Mark Cohen stated that Delta must confront a separate lawsuit filed by passengers who were denied full refunds for canceled flights linked to the outage.
Did you know that such outages can have far-reaching effects on both companies and consumers? It’s a key reminder for businesses to maintain operational resilience and robust cybersecurity measures.
As always, stay updated as these legal battles unfold, and keep exploring more related content at Moyens I/O.