Delta Air Lines recently filed a lawsuit against cybersecurity firm CrowdStrike, alleging that its software update caused a widespread disruption to the airline's operations, leading to thousands of flight cancellations and significant financial losses.
On July 19, 2024, Delta experienced a significant operational disruption that impacted thousands of flights. The airline attributed the issue to a software update from CrowdStrike, a cybersecurity firm that Delta uses to protect its systems. According to Delta, the update caused widespread system outages, hindering critical operations like check-in, baggage handling, and flight dispatch.
In a court filing last Friday, Delta alleged that CrowdStrike should be on the hook for the airline's more than $500 million in losses—partly because CrowdStrike has admitted that it should have done more testing and staggered deployments to catch the bug before a wide-scale rollout that disrupted businesses worldwide.
"As a result of CrowdStrike's failure to use a staged deployment and without rollback capabilities, the Faulty Update caused widespread and catastrophic damage to millions of computers, including Delta's systems, crashing Delta's workstations, servers, and redundancy systems," Delta's complaint said.
Delta has further alleged that CrowdStrike postured as a certified best-in-class security provider who "never cuts corners" while secretly designing its software to bypass Microsoft security certifications in order to make changes at the core of Delta's computing systems without the company's knowledge.
"Delta would have never agreed to such a dangerous process had CrowdStrike disclosed it," Delta's complaint said.
In its lawsuit, Delta claims that CrowdStrike's software update was poorly tested and deployed, resulting in a series of cascading failures. The airline asserts that the incident caused substantial financial losses and tarnished its reputation.
In turn, CrowdStrike filed a lawsuit against Delta over the IT outage, accusing Delta of seeking to shift blame for its own failings to the cybersecurity vendor.
The suit filed Friday in the U.S. District Court in Georgia came the same day that Delta filed its complaint against CrowdStrike in Superior Court in Georgia, seeking at least $500 million in damages from CrowdStrike over the incident.
In its lawsuit against Delta, CrowdStrike argues that its July 19 update was not the culprit in the continuance of disruptions at the airline that proceeded well into the following week. United and American Airlines also saw business disruptions from the outage, but recovered faster than Delta.
"I really think that one of the most interesting points of this lawsuit is the assertion that 'like many of Crowdstrike's other customers, Delta did not enable automatic updates,'" said Violet Sullivan, AVP, Cyber Solutions at Crum & Forster. "If vendors can bypass their customer's configured settings (like opting out of automatic updates), it redefines what 'automatic' means in practical terms."
Sullivan added, "This lawsuit may drive companies to demand stronger assurances or contractual protections about the level of control they retain over their own systems, even when engaging outsourced services and software."
The legal battle between two major corporations highlights the critical role that cybersecurity plays in modern business operations. It also underscores the potential consequences of software updates gone wrong, even for well-established and highly-regulated industries like aviation.
VJ Viswanathan, Founding Partner at CYFORIX, said he has been following this closely as this is invariably a topic that comes up in every board meeting update and could be a watershed moment in contract liability limitations.
"The case is shaping up to be a defining one for liability and risk in technology product and services. It underscores the significant financial and reputational damage that can arise from incidents that impact critical infrastructure," said Viswanathan. "It raises questions about the responsibility of solution providers in ensuring the reliability and integrity of their software, as well as the importance of rigorous testing procedures. It's another example of often repeated cautionary tales to not just invest in resilient technology but also regularly test disaster recovery plans."
Viswanathan continued, "Leveraging specialized managed service providers can rapidly mitigate system risks. However, it's crucial to conduct a thorough, multi-faceted risk assessment to clearly understand scope of service contract liability and fully consider the risks involved in business outage, particularly in cloud-based software supply chains."
As the legal proceedings unfold, it will be interesting to see how the court rules on the case and what implications it may have for the cybersecurity industry. The case could set a precedent for future software deployment and vendor liability.
"Regardless of the outcome, this case will have interesting case-law impacts on software liability and diligence, as well as the business continuity expectations for large organizations," said Casey Ellis, Founder and Advisor at Bugcrowd.
"In the event of a major incident with significant damages, it's not atypical for organizations to engage in blamestorming operations in an attempt to posture for a better settlement offer," said John Bambenek, President at Bambenek Consulting. "What seems to be clear, to borrow Reddit parlance, is 'everyone sucks here.' CrowdStrike clearly made mistakes, and noting that Delta had outages that were longer than its peers demonstrates that they could have done better too."
[RELATED: Delta Air Lines and CrowdStrike Clash Over Costly IT Outage]