CrowdStrike to Delta: Stop Pointing the Finger at Us

“Should Delta pursue this path, Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions—swiftly, transparently, and constructively—while Delta did not,” wrote Michael Carlinsky, an attorney at law firm Quinn Emanuel Urquhart & Sullivan. 

Delta didn’t comment on the CrowdStrike letter. 

The letter to Delta’s legal team Sunday evening is the latest move in a growing conflict between the cybersecurity firm and the airline, which was thrown into several days of disarray following the outage.

Delta Chief Executive Ed Bastian said in an interview on CNBC last week that the outage cost the airline about $500 million, including lost revenue and compensation costs. The airline has alerted CrowdStrike and Microsoft MSFT -2.07%decrease; red down pointing triangle that it is planning to pursue legal claims to recover its losses, and has hired litigation firm Boies Schiller Flexner to assist, according to a memo Bastian sent to Delta employees last week.

CrowdStrike said Sunday that its liability is contractually capped at an amount in the “single-digit millions.” The company has said a bug in a quality-control tool that it uses to check system updates for mistakes allowed a critical flaw to be pushed to millions of machines running Microsoft Windows. 

The cybersecurity company reiterated its apology to Delta for the initial disruption and said it had offered on-site assistance to Delta but was told it wasn’t needed. It said Bastian didn’t respond to outreach from CrowdStrike’s CEO. 

CrowdStrike said it would respond aggressively to any litigation and demanded that Delta preserve documents and records related to its response to this most recent outage as well as previous IT problems over the past five years and other information related to its technology systems and backup plans.

Most airlines were back on track within a couple of days after CrowdStrike’s errant update. Delta continued to struggle well into the following week—something CrowdStrike highlighted in its letter. The airline canceled more than 5,000 mainline flights over several days, far more than rivals. The U.S. Department of Transportation is investigating how the airline handled the disruption and its customer response. 

Bastian has said Delta is heavily exposed to Microsoft and CrowdStrike and that was why it suffered so extensively. He wrote in his message to employees last week that the airline’s IT, operations and customer care teams are conducting an intensive analysis of the event to see what lessons it can draw from it. 

CrowdStrike’s outage hit 8.5 million devices, the cybersecurity company has said, but the problems experienced within corporate information-technology systems widened the impact. The outage temporarily grounded activity across a range of businesses, organizations and institutions such as banks and restaurants, colleges and government agencies.

Appeared in the August 5, 2024, print edition as 'Cyber Firm Hits Back At Delta For Outage Suit Threat'.