Delta Air Lines has been given the green light to proceed with a lawsuit against the internet security company Crowdstrike over an IT outage last July that led to a week-long operational meltdown at the Atlanta-based carrier.
After failing to reach an out-of-court settlement with Crowdstrike, attorneys for Delta filed a suit in a Fulton County court last October, accusing the security service firm of a “series of intentional grossly negligent acts.”
Like many airlines, Delta used Crowdstrike to keep computers using the Microsoft Azure platform safe from cyber attacks, but on July 19, 2024, the company pushed an untested software update to millions of computers worldwide.
The bug-ridden update caused a ‘blue screen of death,’ taking down key operational systems used by supermarkets, banks, and airlines around the world.
Crowdstrike was able to deploy a patch for the failed update within hours, and most airlines were able to recover their operations within a day or two. The situation at Delta could not, however, have been more different.
What is the software that caused computers around the world to crash last July?
Crowdstrike is a leading cybersecurity company based in Austin, Texas, which has various products to protect cloud-based software systems from being hacked.
One of its key products is the Falcon platform, which is described as
an “endpoint security protection and threat intelligence” system that can detect hack attacks and quickly block unauthorized access to key operational systems.
Central to Falcon’s ability to detect threats is the ‘Falcon Sensor’ software that is installed locally on end-point computers.
Crowdstrike pushed an automatic update to the Falcon Sensor for Windows but it tuned out that this update caused computers to crash.
The airline went into meltdown after it lost track of pilots and flight attendants, resulting in more than 7,000 flight cancellations. Delta claims it racked up losses of around $500 million as a direct result of the Crowdstrike outage.
Following months of legal tussling, a Fulton County judge ruled that Delta could proceed with two claims made in its original claim against Crowdstrike.
- Negligence
- Computer trespass
The judge did, however, dismiss one claim of intentional misrepresentation or fraud by omission.
Delta is seeking up to $500 million from Crowdstrike to cover its total losses from the outage.
Crowdstrike argues that its contract with Delta makes it liable only for claims in the single-digit millions of dollars. Following the ruling, the company said that it stands behind this belief.
There are also claims that Delta’s operational meltdown was caused by a failed software system used to control pilot and flight attendant schedules that doesn’t even run on the Microsoft platform.
The legacy IBM system, it is argued, was susceptible to problems, and while other airlines have invested in updated software, Delta had allegedly failed to upgrade its systems.
In a counter-lawsuit filed by Crowdstrike against Delta, the company alleged that Delta had refused assistance from its expert technicians–potentially because Delta knew that the main issue was an old computer system that didn’t actively use Crowdstrike.
Delta denies these allegations, saying that it has a track record of investing millions of dollars in the latest computer software.
Earlier this month, Delta lost a legal battle to have a consumer lawsuit over last July’s Crowdstrike meltdown thrown out of court.
A federal judge concluded in a lengthy ruling that Delta’s motion to dismiss should be denied, although the airline succeeded in having several claims made under local state laws and European denied boarding regulations thrown out of court.
