In anticipation of litigation, CrowdStrike has sent a scathing response back to Delta Air Lines accepting blame for the initial faulty software update but warning that “Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions — swiftly, transparently, and constructively — while Delta did not.”
CrowdStrike Strikes Back: Sends Scathing Legal Response To Delta Air Lines
After Delta went public with its threats of litigation and hired prominent attorney David Boies to represent it, CrowdStrike released its response to Delta. Let’s look at the key part:
CrowdStrike reiterates its apology to Delta, its employees, and its customers, and is empathetic to the circumstances they faced. However, CrowdStrike is highly disappointed by Delta’s suggestion that CrowdStrike acted inappropriately and strongly rejects any allegations that it was grossly negligent or committed willful misconduct with respect to the Channel File 291 incident. Your suggestion that CrowdStrike failed to do testing and validation is contradicted by the very information on which you rely from CrowdStrike’s Preliminary Post Incident Review.
CrowdStrike worked tirelessly to help its customers restore impacted systems and resume services to their customers. Within hours of the incident, CrowdStrike reached out to Delta to offer assistance and ensure Delta was aware of an available remediation. Additionally, CrowdStrike’s CEO personally reached out to Delta’s CEO to offer onsite assistance, but received no response. CrowdStrike followed up with Delta on the offer for onsite support and was told that the onsite resources were not needed. To this day, CrowdStrike continues to work closely and professionally with the Delta information security team.
Delta’s public threat of litigation distracts from this work and has contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage. Should Delta pursue this path, Delta will have to explain to the public, its shareholders, and ultimately a jury why CrowdStrike took responsibility for its actions — swiftly, transparently, and constructively — while Delta did not. Among other things, Delta will need to explain:
- Why Delta’s competitors, facing similar challenges, all restored operations much faster.
- Why Delta turned down free onsite help from CrowdStrike, professionally who assisted many other customers to restore operations much more quickly than Delta.
- That any liability by CrowdStrike is contractually capped at an amount in the single-digit millions.
- Every action, or failure to act, by Delta or its third-party service providers, related to the Channel File 291 incident.
- The design and operational resiliency capabilities of Delta’s IT infrastructure, including decisions by Delta with respect to systemwide upgrades, and all other contributory factors that relate in any way to the damage Delta allegedly suffered.
In light of Delta’s July 29 letter, CrowdStrike must also demand that Delta preserve all documents, records, and communications of any kind — including emails, text messages, and other communications — in the possession, custody, or control of Delta, its officers and directors, and employees concerning, but not limited to, the items listed above. As I am sure you can appreciate, while litigation would be unfortunate, CrowdStrike will respond aggressively, if forced to do so, in order to protect its shareholders, employees, and other stakeholders.
I’m not nearly as amused or impressed as others by this strongly-worded response.
While I’m not surprised that CrowdStrike chose to take a tough tone, it seems this is like a drunk driver blaming the victim for not wearing a seatbelt after hitting him.
Was all of this foreseeable? No matter the foolishness of Delta putting all its eggs in the same CrowdStrike basket, the failed security update was the “but for” cause of the entire meltdown and Delta cannot be faulted for that.
Then there’s the issue of CrowdStrike offering help and Delta refusing. Well, if one of my vendors screwed everything up, I’d be hesitant too to trust them too…though if it can be proven that Delta made the situation worse by turning down help that was ready and willing to step in, then that may be a further mitigating circumstance (and further expose the hubris of Delta). Delta CEO Ed Bastian also told CNBC that CrowdStrike offered no help after the incident beyond “consulting.”
Of course, the big question for Delta remains why it struggled for an entire week while American and United quickly got back on track. Yes, it does appear that Delta’s software is not as resilient as it should have been. But that doesn’t strike me as the key legal question.
Instead, the key legal question is the contract language and the specific limits of liability it spells out. Is there a cap well below the $500 million Delta is floating? Is there an exception for negligence or gross negligence?
CONCLUSION
CrowdStrike has struck back with a strongly-worded note to Delta from its attorneys, seeking to shift some of the blame back to Delta for its recent meltdown. It’s a well-worn legal strategy, but the key will come down to the details of the contract, something that has not yet been made public.
As for Delta, I don’t think the real rebuilding starts until it issues a sincere apology for its part in prolonging and exacerbating a mess. Blaming it all on CrowdStrike may be a legal tactic, but passengers are not buying it when other airlines recovered far more quickly. There is a divergence between legal strategy and the court of public opinion…
image: Delta Air Lines
The point is that Delta looks foolish continuing to blame the whole thing on CrowdStrike. And it’s going to be tough to prove gross negligence or circumvent the liability cap. Delta doesn’t want their IT deficiencies, tech layoffs, and failures in mitigating compared to competitors dragged through depositions and court. They will settle, it will be for a relatively small number, and they’ll claim it vindicates them.
@Gary … =1 . Bingo .
Exactly!
Bush-league Lawyers answering Bush-league Lawyers . Courts ought to banish petty accusations .
The problem is predictably failing tech , which is designed and controlled by ridiculous people .
How long this drags out before a settlement is a balancing act of Bastian’s hubris making him hold out to secure a ‘win’ (as a big 9 figure settlement likely solidifies his lack of blame in his mind) vs reminding the public every time a new story comes out about this that Delta melted down for a week when even the 2nd worst (United) was about 2.5 days, and most were back within 24 hours.
My guess is settled for low-to-mid eight figures within the next year or so, although I’ve underestimated Ed’s hubris before.
This is rattling of the sabers between layers….nice way to pump up billings.
The key here is if Delta is able to prove damages in court, the flood gate will open for the remaining hospitals, brokers, banks, airlines, colleges, broadcasters, etc, etc, etc. to get their share.
Based on Microsoft’s abysmal history on implementations and updates, it could claim its past updates included a degree of caution which was supposed to be addressed by CrowdStrike which could be left holding the bag in the long run. Let’s not forget that CrowdStrike shareholders are suing CrowdStrike management.
Could easily end up like J&J talcum powder development, or Deep Water Horizon, or the asbestos trust.
I give it 5 to 7 years to settle this mess.
Pretty hard to blame MSFT/Crowd strike as liable when it is your choice to choose them as a vendor. There is a reason everyone uses them despite all of their deficiencies. This is also going to bring up Delta’s business continuity planning which is clearly deficient, otherwise they would have had small rollout IT updates for critical systems that were then scaled once proven to be acceptable. There is no way any reasonable jury sides with Delta, and the publicly rehashed blackeye on the company will cost them even more goodwill. Fire Ed, and accept responsibility. Every one of the current crop of airline CEO’s are terrible and clearly aren’t up to running a critical org such as airlines. They proved that in 2020 with the pandemic to start with.
And for Delta, this is a repeated issue. If I remember correctly, the other meltdowns that happened in the past 5 or 6 years were also due to crew management and the system needing to humans to manually assign crew. It’s a well know issue and I have no idea how the CIO has been there for all of them
Exactly. Which then all goes back to the feet of Ed. He didn’t get someone competent in charge, therefore he should go because he doesn’t have the requisite qualifications to manage his airline.
Whether DL gets $1M or $100M is not the question. The question is if Delta can get CrowdStrike to be held accountable. Someone needs to be the first to scale the castle walls and capture the King. If so, there’s plenty of other businesses looking for their share of compensation.
CrowdStrike doesn’t want multiple suits, years of litigation, adverse publicity, and flight of customers to other providers. The wildcard is Microsoft who has the deepest pockets and will fight this most vigorously.
That’s the whole idea of a settlement fund. Once you partake, you settle your claim without further prejudice. This would allow CrowdStrike and Microsoft to close out this whole affair.
Plan “B” would be for CrowdStrike to declare Chapter 11 which has been used by corporations that have been held liable for huge amounts. IIRC, Texaco used this in the past when it lost a court case. My local archdiocese has declared Chapter 11 as part of its settlement of claims.
Talk about a mess. The only winner in Chapter 11 are the attorneys.
A PBP, yes, the lawyers are the only real winners here. That much we agree on.
The company I work for was hugely impacted by the Crowdstrike issue. BUT, we had invested in a Disaster Recovery Policy, which took time and resources to establish before there was an event. This policy and preparedness, plus a lot of hard work from IT staff, mitigated our issues within 12 hours of the first signs of the event.
It is very apparent that Delta did not make those kind of recovery investments, and basically had to use the ‘turn it of and on again’ approach to mitigation because of that lack of investment in the ‘what if?”.
Blaming Crowdstrike for Delta’s inability to plan for an unexpected IT issue, as well as their lack of a plan or resources to recover, is a bit disingenuous. Why did UA or AA not see the disruption DL did? They were all impacted.
Delta is looking to save face, and anyone that works in the IT field can see right through their lack of planning. Go after Crowdstrike for mitigation costs? Sure. But business impact is 100% at the foot of Delta management that failed to plan for an IT outage.
I can’t wait for Tim to post and tell us why this had nothing to do with Delta.
While I’m not surprised that CrowdStrike chose to take a tough tone, it seems this is like a drunk driver blaming the victim for not wearing a seatbelt after hitting him.
[deleted]
You can “LOL” all you want, but to use and improve upon your poor simile: it’s like a drunk driver laughing at the victim. But in court. And the drunk driver is still drunk. (The drunk driver is Delta, btw.)
The situation is very nuanced and CrowdStrike, while partly to blame for a botched update, can open the doors to all the skeletons in Delta’s IT closet. Like most airlines, Delta needs an IT overhaul. UNLIKE most airlines, though, Delta is putting itself in a position to have made public just how shoddy their IT is. The flying public who regularly use Delta’s app and site already know. But CrowdStrike is a cybersecurity firm that knows exactly what to look for. This would be very bad for Delta during discovery if this goes to trial. Ed’s lawyers and CTO should be telling him that.
Stick to the issue and don’t make it personal. I also see this as a nuanced issue, disagree with your conclusion at this juncture, but I don’t call you an idiot…
if one of my vendors screwed everything up, I’d be hesitant too to trust them too…
So Delta is failing catastrophically and you expect them to call a PLUMBER to fix this problem when the people who understand the problem and are already working on a fix reach out to you but you say no thanks?!? Interesting take.
But in your analogy, the plumber was the one who made a mess.
I wouldn’t necessarily trust that plumber again…even to change the toilet seat.
We all love to make fun of Delta and its ridiculous hubris…but Delta did not cause this problem. I’ll address the MSFT letter today…there is certianly some joint liability…but we can’t blame it ALL on Delta.
Not really the same thing, Matt. Every company has been hit by a bug at some point. Just look at how common the infamous BSOD is. If a bug could make you liable for a week long outage, especially if you turned down support, MSFT, Google, Amazon, etc would all be out of business.