CrowdStrike has countersued customer Delta Air Lines, accusing the airline of employing a lawsuit as a smokescreen to hide its own IT and incident response inadequacies.
At issue is the cybersecurity vendor’s botched July 19 update, and who bears responsibility for the delays and outages experienced by Delta – one of the world’s largest carriers – which appear to have been much more substantial than the delays experienced by other CrowdStrike customers.
After an intensifying war of words and legal threats, Delta on Friday sued CrowdStrike in Georgia state court for having “forced untested and faulty updates to its customers” and saying the vendor “must ‘own’ the disaster it created”
Among the allegations contained in the airline’s lawsuit are that “CrowdStrike intentionally created and exploited an unauthorized door within the Microsoft OS through CrowdStrike’s Falcon software,” to automatically push an update to the Windows kernel, in violation of Georgia’s computer crime law.
Shortly after the outage, the Atlanta-based airline told investors the resulting IT disruptions forced it to cancel 7,000 flights over five days. Delta pledged to try and recover its losses from CrowdStrike as well as Microsoft, on account of its building the Windows operating system on which the software runs.
“Delta suffered over $500 million in out-of-pocket losses from the faulty update, in addition to the loss of future revenue and severe damage to Delta’s reputation and goodwill,” according to the airline’s complaint.
In response, CrowdStrike on Friday filed its own complaint against Delta in the U.S. District Court for the Northern District of Georgia. “CrowdStrike quickly identified the cause of the issue, remedied it and pushed out a fix, all within a matter of hours,” it says. “But, in contrast to other major airlines that resumed near-normal levels of operations by the following day, July 20, Delta struggled to resume near-normal levels of operations for days.”
A CrowdStrike spokesperson told Information Security Media Group that the claims in Delta’s complaint are “based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure.”
This much is agreed: The faulty software update CrowdStrike pushed to its Falcon endpoint software crashed 8.5 million Windows hosts and caused worldwide chaos, including publicly traded Delta, resulting in days of cancellations and delays. Not long after the outage, CrowdStrike issued a preliminary analysis and later a full root-cause analysis, concluding that while it vetted updates before rolling them out, its testing failed to spot “problematic content data” in a new “template type,” which when installed made systems constantly crash into a Windows “Blue Screen of Death” and then reboot, in an unending loop.
The vendor also failed to roll out updates in a staged fashion, which might have helped spot and stop distribution of the faulty update before it got installed on all Falcon-using Windows systems worldwide. CrowdStrike quickly promised to immediately begin staged deployment.
In its countersuit, CrowdStrike said the circumstances surrounding the faulty update in no way amounts to “gross negligence” or “willful misconduct,” as the airline alleges, and also that it “certainly did not cause the harm that Delta claims.”
The cybersecurity firm said it responded quickly and worked closely with customers, including Delta, to help remediate the problem. “Soon after the incident and the days that followed, CrowdStrike was in frequent communication with Delta, helping Delta work through solutions and generally doing whatever CrowdStrike could do to help Delta fix the issues it was experiencing,” the company said.
CrowdStrike’s complaint blames the severity of Delta’s outage on its own incident response processes and infrastructure investments: “Despite the immediate response from CrowdStrike, it was Delta’s own response and IT infrastructure that caused delays in Delta’s ability to resume normal operation, resulting in a longer recovery period than other major airlines”
The vendor has repeatedly accused Delta of filing the lawsuit as a smokescreen designed to deflect criticism resulting from the airline’s “lackluster response, including a federal investigation.”
In addition, “Delta knows its contract with CrowdStrike has ‘limitation of liability’ and ‘exclusion of consequential damages’ provisions, which limit the parties’ liability and excludes any indirect, incidental, punitive or consequential damages of any kind,” CrowdStrike’s complaint says.