CrowdStrike hits back at Delta’s “public posturing” as war of words intensifies

CrowdStrike has pushed back against criticism from US airline Delta, which claimed the firm should be blamed for flight disruptions after the major IT outage affecting its Falcon sensor product.

The incident, dubbed the largest IT outage ever, rendered millions of Windows devices around the world unusable.

Microsoft estimated that a total of 8.5 million systems were taken offline as a result of the outages, which is likely to be on the lower-end as its projection was based on those who opted to share their crash reports.

In an interview with CNBC, Ed Bastian, CEO at Delta, claimed the airline had suffered costs of $500 million in relation to the outage, strongly hinting it was considering legal action against CrowdStrike.

The outage left Delta’s crew tracking system offline for almost an entire week, meaning it was unable to find and allocate pilots and flight attendants for its services. 

This meant Delta was among the slowest airlines to recover from the outage, and had to cancel approximately 30% of its scheduled flights over a five-day period.

When asked about potential compensation from CrowdStrike and Microsoft, Bastion complained the security firm had not offered the company anything at that point, barring “free consulting advice”.

Bastian reiterated that he was disappointed with CrowdStrike’s response to the incident, given the critical role its software plays in infrastructure around the world.

“If you’re going to be having access, priority access to the Delta ecosystem in terms of technology, you’ve got to test the stuff. You can’t come into a mission critical 24/7 operation and tell us we have a bug,”

CrowdStrike on the offensive

On the matter of seeking damages from the cybersecurity firm, Bastian said Delta doesn’t have much choice.

The airline has not filed a lawsuit against CrowdStrike or Microsoft at the time of writing, but reporting from CNN stated Delta has hired the law firm of leading attorney David Boies to seek compensation from the two companies.

In a letter responding to the threats of potential legal action from Delta, CrowdStrike reiterated an apology to the airline’s employees and customers while rejecting accusations of gross negligence or wilful misconduct.

The letter directly addressed Bastian’s claim that the firm had not carried out necessary testing before rolling out updates.

“Your suggestion that CrowdStrike failed to do testing and validation is contradicted by the very information on which you rely from CrowdStrike’s Preliminary Post Incident Review.”

CrowdStrike’s rebuttal noted Delta’s accusations have created a ‘misleading narrative’ that it was responsible for the airline’s IT decisions and response to the outage.

It raised a series of questions around Delta’s response, noting CrowdStrike took responsibility for its actions immediately, while Delta has yet to explain why its competitors were able to restore operations faster. The cybersecurity firm also questioned why Delta turned down onsite assistance from CrowdStrike professionals, who it noted helped many other customers swiftly restore operations.

Speaking to ITPro, a spokesperson for CrowdStrike said the ‘public posturing’ from Delta was not constructive, and hoped the two firms could agree to find a resolution.

“The letter speaks for itself. We have expressed our regret and apologies to all of our customers for this incident and the disruption that resulted. Public posturing about potentially bringing a meritless lawsuit against CrowdStrike as a long-time partner is not constructive to any party. We hope that Delta will agree to work cooperatively to find a resolution.”

Delta declined to comment when contacted by ITPro.