CrowdStrike points finger back at Delta after airline threatened to sue over outages
Cybersecurity vendor CrowdStrike fired back at major U.S. airline Delta over a lawsuit threat stemming from a flawed software update that led to flight cancellations, saying that if the company followed through it would have to provide public details about its own failings.
“CrowdStrike is highly disappointed by Delta’s suggestion that CrowdStrike was grossly negligent or committed willful misconduct with regard to the” incident, attorney Michael Carlinsky wrote in a letter Sunday to fellow attorney David Boies, whom Delta has hired to seek damages from CrowdStrike and Microsoft.
It’s the latest shoe to drop in the drama that began last month when a CrowdStrike Falcon update caused millions of Microsoft computers to malfunction.
The incident hit airlines particularly hard, with Delta struggling most of all. CEO Ed Bastian said last week that Delta is “heavy with both” CrowdStrike and Microsoft and that the incident has cost the airline $500 million, leading the company to retain Boies’ services.
“We have no choice,” Bastian said on CNBC. “Over a period of five days, between not just the lost revenue, but the tens of millions of dollars per day in compensation and hotels. … You can’t come into a mission critical 24/7 operation and tell us we have a bug. It doesn’t work.”
Bastian also said in the interview that CrowdStrike hadn’t offered “anything” in the way of “free consulting advice to help us,” a claim that CrowdStrike disputed. Delta declined to comment to CyberScoop beyond what was said in the CNBC interview.
CrowdStrike CEO George Kurtz reached out directly to Bastian to offer onsite assistance but didn’t get a response, according to the letter. The company reached out “within hours” to offer help, and after a follow-up, Delta said that onsite assistance wouldn’t be necessary, Carlinsky wrote — an offer other customers accepted. Even now, CrowdStrike is working with Delta’s IT team, he said.
“Delta’s public threat of litigation distracts from this work and has contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response other than the outage,” the letter states, emphasis theirs. And Carlinsky wrote that any liability is contractually capped at the single-digit millions.
Should Delta sue, it will have to explain publicly why its competitors restored operations more quickly, according to the letter. Delta canceled more than 5,000 flights between July 19 and July 24, according to the flight tracker FlightAware. American Airlines, meanwhile, canceled 400 flights on the first day of the incident and 50 more the next.
Transportation Secretary Pete Buttigieg has criticized Delta specifically over the incident and launched an investigation into the company.
“The letter speaks for itself,” a CrowdStrike spokesperson said. “We have expressed our regret and apologies to all of our customers for this incident and the disruption that resulted. Public posturing about potentially bringing a meritless lawsuit against CrowdStrike as a long-time partner is not constructive to any party. We hope that Delta will agree to work cooperatively to find a resolution.”
You can read the full letter here.