CrowdStrike Sues Delta: 5 Key Things

The cybersecurity vendor says in a federal lawsuit over the July IT outage that it “certainly did not cause the harm that Delta alleges.”

CrowdStrike filed a lawsuit against Delta over the July IT outage that crippled the airline for days, formally accusing Delta of trying to “shift the blame” for its own failures onto the cybersecurity vendor.

The lawsuit filed Friday in U.S. District Court in Georgia came the same day Delta filed a complaint against CrowdStrike in Georgia Superior Court, seeking at least $500 million in damages from CrowdStrike for the incident.

The coinciding lawsuits came three months after Microsoft’s global Windows pause caused by a faulty configuration update from CrowdStrike that caused Delta to cancel about 7,000 flights over five days.

“We have filed a declaratory judgment to clarify that CrowdStrike did not cause the harm that Delta claims, and they have repeatedly refused assistance from both CrowdStrike and Microsoft,” a CrowdStrike spokesperson said in a statement submitted to CRN. “Any claims of gross negligence and willful misconduct have no basis in fact.”

What follows are five key takeaways from CrowdStrike’s lawsuit against Delta.

CrowdStrike: “Lackluster” Delta Response

In its lawsuit against Delta, CrowdStrike argued that its July 19 update was not to blame for the continued outages at the airline into the following week. Notably, two other airlines that initially experienced significant disruption from the outage, United and American Airlines, recovered more quickly than Delta.

Instead, CrowdStrike argued that Delta’s response was “unworkable” following the outage, and that the airline is now trying to improperly “shift the blame” for the entire CrowdStrike outage.

Following the faulty update on July 19, “CrowdStrike quickly identified the cause of the problem, addressed it and fixed it, all within hours,” the company said in the lawsuit against Delta. “But unlike other major airlines that resumed near-normal levels of operations by the following day, July 20, Delta struggled for days to resume near-normal levels of operations.”

Ultimately, “it was Delta’s response and IT infrastructure that caused delays in Delta’s ability to resume normal operations, resulting in a longer recovery period than other major airlines,” CrowdStrike said in the lawsuit.

“CrowdStrike did not in any way act with gross negligence or willful misconduct and certainly did not cause the injury that Delta claims,” the company said.

Alleged outdated IT systems

In its filing against Delta, CrowdStrike reiterated its statement that Delta did not accept offers to help respond to the outage. Microsoft has also previously accused Delta of ignoring offers to help recover from the outage, claiming this was partly due to Delta operating outdated IT systems.

In the lawsuit filing, CrowdStrike provided more details about the problems it believes were behind the lengthy recovery process at Delta.

“Delta’s response to the outage and CrowdStrike’s efforts to help fix the problems revealed technology deficiencies and failures of security best practices, including outdated IT systems, problems in Delta’s Active Directory environment, and thousands of compromised passwords,” he said. CrowdStrike said in the lawsuit.

In addition, CrowdStrike engineers “detected a custom script running daily on thousands of Delta machines, further indicating that Delta previously acknowledged a lack of proper hygiene in its systems,” the company said in the filing. “CrowdStrike did not identify this issue on other customers’ systems, indicating that it was unique to Delta.”

Limited liability clause quoted

In its lawsuit against Delta, CrowdStrike pointed to a “clause in the agreement governing the relationship between Delta and CrowdStrike that limits any potential damages.”

“Delta is aware that its contract with CrowdStrike has ‘limitation of liability’ and ‘exclusion of consequential damages’ provisions that limit the parties’ liability and exclude any indirect, incidental, punitive or consequential damages of any kind,” CrowdStrike said in the filing. .

Specifically, as part of the June 2022 Subscription Services Agreement between CrowdStrike and Delta, “CrowdStrike’s liability to Delta for any damages related to the July 19 incident, if any, is limited to twice the amount of the fees. ,” the company said.

In addition, “neither Delta nor CrowdStrike shall be liable to the other for any indirect, incidental, punitive, or consequential damages of any kind related in any way to the July 19th Incident, including, but not limited to, lost revenue , profits or commercial funds. ,” CrowdStrike said in the filing.

CrowdStrike Seeks Federal Jurisdiction

CrowdStrike said it filed its lawsuit in Georgia district court because it believes the court has jurisdiction over the dispute with Delta.

The court has jurisdiction under federal law because “the resolution of this action and Delta’s threatened claims and alleged damages against CrowdStrike are based on the Court’s application, interpretation and determination of a number of federal laws and/or regulations,” CrowdStrike said in the filing or.

CrowdStrike pointed to two pending class action lawsuits involving Delta consumers seeking to receive damage payments from Delta for flight delays and cancellations since July — in response to which Delta “liberally invoked and cited federal law.”

CrowdStrike’s filing asks the District Court of Georgia to enter judgment against Delta in this matter, including granting a declaration referencing the contractual limitation of liability in the June 2022 agreement between Delta and CrowdStrike, as well as an award of attorney’s fees.

Delta’s response to the CrowdStrike suit

In a Delta statement responding to the CrowdStrike lawsuit provided to CRN, the airline said it rejected CrowdStrike’s arguments as well as the filing of the suit in US District Court.

“We believe this declaratory action and the alleged bases for federal jurisdiction are without merit,” Delta said in Tuesday’s statement, adding that it “will promptly file a motion to dismiss and looks forward to substantiating its claims in the Fulton Superior Court.” .

Delta’s own lawsuit against CrowdStrike said the airline sought damages because it “suffered more than $500 million in out-of-pocket losses due to the faulty update, in addition to future revenue and serious damage to its reputation and goodwill.”

CrowdStrike is committed to further testing and rolling out phased releases of updates to prevent such outage incidents from reoccurring in the future.

And earlier this month, CrowdStrike co-founder and CEO George Kurtz said during a interview with CRN that overall customer sentiment was positive following the July incident, which “underlines the level of trust we have with our partner community and our customers.”

“I think customers have really recognized in the conversations we’ve had how much trust we’ve built up over the last decade — how many times we’ve saved them,” Kurtz said during the interview. “Everyone I’ve interacted with has been very supportive and understands what we’ve built, how we’ve helped them, and obviously how we’ve responded.”