CrowdStrike prepares for battle as Delta given go-ahead for outage lawsuit

Delta Airlines passengers waiting at a customer service desk during the CrowdStrike outage in July 2024.

(Image credit: Getty Images)

published 20 May 2025

Delta Air Lines has been told it can take CrowdStrike to court to seek damages after last summer's outage forced the airline to cancel 7,000 flights.

In July 2024, a flawed update to CrowdStrike software knocked offline more than eight million Windows devices globally, causing widespread disruption for the companies that relied on them, from banks to retailers, broadcasters and airlines.

Delta said it had to manually reset 40,000 servers as a result of the incident, causing huge delays for commuters.

In the wake of the outage, the airline said it intended to sue the security giant to claw back some of the $500 million in costs from cancelling 7,000 flights, eventually filing a suit three months later.

CrowdStrike then counter sued and later moved to dismiss Delta's case. Delta also faces a class action by passengers, who claim the airline refused to issue refunds following the outage.

With the latest development, judge Kelly Lee Ellerbe of the Fulton County Superior Court in Georgia said Delta can go ahead with the case.

"Delta has specifically pled that if CrowdStrike had tested the July update on one computer before its deployment, the programming error would have been detected," the judge noted, according to a Reuters report.

"As CrowdStrike has acknowledged, its own president publicly stated CrowdStrike did something 'horribly wrong.'"

Alongside the allegations of negligence, the judge also allowed Delta to include a claim regarding computer trespass, but narrowed another claim relating to an unauthorized back door, which it says was used to issue the update.

Delta said it did not enable automatic updates, but that the faulty update was forced through.

"Delta has alleged that in performing its July update, CrowdStrike altered critical and highly sensitive kernel-level programming — intentionally bypassing required verification and certification procedures — and without performing basic quality assurance measures," the filing states.

The judge did dismiss one count, on intentional misrepresentation or fraud by omission, relating to sales presentations and renewals of the contract ahead of the incident.

“We are pleased by the ruling and remain confident in the merits of our claims against CrowdStrike,” the airline told Reuters.

CrowdStrike "pleased" at rejected claims

In a statement given to ITPro, CrowdStrike lawyer Michael Carlinksy said the security firm is “pleased” that several Delta claims were rejected.

Carlinsky added that the firm is “confident the rest will be contractually capped in the single-digit-millions of dollars or otherwise found to be without merit”.

When Delta first announced its intention to sue last year, the move sparked a war of words between the two firms. At the time, CrowdStrike noted that Delta was the airline hit the hardest, but specifically highlighted that rivals had remediated issues in a more timely manner.

The security firm’s fierce response accused Delta of spreading “disproven misinformation” and a failure to update aging IT infrastructure.

"Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure," the company said at the time.