Delta Sues CrowdStrike for $500M, Cites Vendor Accountability and Cybersecurity Negligence

Delta Air Lines v. CrowdStrike, a lawsuit over last summer’s massive cybersecurity snafu, has been filed in Georgia State Court. Connor Jones, reporting in The Register, notes that Delta was among the most vocal victims of the CrowdStrike outage in July, reporting thousands of canceled flights affecting over a million customers.

The lawsuit seeks to recover the approximately $500 million in estimated lost revenue caused by the cybersecurity company’s global IT outage. David Boies of Boies Schiller Flexner is representing Delta.

Central to the allegations is CrowdStrike’s failed Falcon sensor update, which Delta alleges was inadequately tested and resulted in widespread “blue screen” crashes across numerous systems. Delta argues that CrowdStrike neglected critical testing protocols, compromising customer systems to avoid delays or costs associated with extensive vetting.

CrowdStrike counters that Delta’s outdated IT infrastructure prolonged the recovery period and is to blame for the extended disruption. CrowdStrike also claims it offered timely, free support, which Delta allegedly refused.

Microsoft faced similar accusations from Delta, asserting that its operating system played a role in the outage, which Microsoft denied.

The complaint underscores Delta’s assertion that CrowdStrike’s actions were intentional and negligent. Its statement to The Register stresses vendor accountability, claiming that CrowdStrike took shortcuts, dodged certifications, and “intentionally created and exploited an unauthorized door within the Microsoft operating system through which it deployed the faulty update.”

It also says that the defendant concedes that it failed to adhere to basic industry-standard practices for IT updates, i.e., conducting a phased rollout and providing rollback capabilities. The defendant claims that the instability would have been detected before deployment if basic testing had been conducted on even a single device.