It’s round three and the gloves are off, with Delta Air Lines sending another dramatic letter back to CrowdStrike after the software company mocked the Atlanta-based airline for a self-inflicted wound following a failed software update.
Delta Deconstructs CrowdStrike Rebuttal In Latest Legal Exchange
After Delta sent a strongly-worded letter to CrowdStrike demanding it pay damages or face a lawsuit, CrowdStrike sent a strongly-worded letter back to Delta, pointing out that Delta was unique among its peers in suffering a meltdown due to a failure to invest in IT that went well beyond what CrowdStrike could reasonably be held liable for.
Delta, represented by Boies, Schiller and Flexner, have fired back with a letter seeking to deconstruct the CrowdStrike narrative and again push for compensation. Let’s take a look:
We appreciate CrowdStrike’s “apology to Delta.” However, an apology alone in these circumstances is vastly inadequate, and when accompanied by misstatements and attempts to shift the blame to Delta of doubtful sincerity.
It’s a fair point. I’ve said before that “apology” has historically meant defense and “I apologize” means nothing to me.
We were surprised and disappointed by CrowdStrike’s efforts to minimize the international
disaster it caused (including by seeking to downgrade it to an “incident” or an “outage”). The
CrowdStrike update caused a catastrophic shutdown of more than 8 million computers around the world and disrupted countless companies’ business operations. At Delta, it shut down more than 37,000 computers and disrupted the travel plans of more than 1.3 million Delta customers.
Is that what caused the disruptions or was it a chain event that began with CrowdStrike and gained momentum like a snowball rolling down a hill due to other factors?
We were even more surprised and disappointed by CrowdStrike’s decision to try a “blame the victim” defense. There is no basis – none – to suggest that Delta was in any way responsible for the faulty software that crashed systems around the world, including Delta’s. When the disaster occurred, dedicated Delta employees across the company worked tirelessly to recover from the damage CrowdStrike had caused. Their efforts were hindered by CrowdStrike’s failure to promptly provide an automatic solution or the information needed to facilitate those efforts. Incredibly, CrowdStrike released an automatic faulty update that crashed millions of Microsoft-Windows based machines without being able to automatically correct that error for several days. It is CrowdStrike’s conduct, and CrowdStrike’s conduct alone, for which CrowdStrike is liable.
Note here that when Delta says, “There is no basis – none – to suggest that Delta was in any way responsible for the faulty software that crashed systems around the world,” that is not really the issue. The issue instead is whether Delta was any way responsible the operational meltdown it is now solely blaming CrowdStrike (and Microsoft) for.
As I mentioned a few days ago, CrowdStrike has chosen to blame the victim (here, Delta) and downplay its own role, which I find the weakest part of its argument (rather than just talk about superseding causes). But this is the weakest part of the letter since everyone admits that CrowdStrike is responsible for the failed initial software update.
Although you say “CrowdStrike took responsibility for its action,” CrowdStrike’s current position as reflected in your letter seeks in every way to escape that responsibility.
Without trying at this point to correct every inaccuracy in your letter, I note:
This is a valid point. Of course, it is hardly a surprise.
- People Suffered Because of Your Faulty Update: Given CrowdStrike’s conduct, there is no “liability cap” at “single digit millions.” The contract does not cap liability or damages for gross negligence or willful misconduct. Your position disregards the massive impact that CrowdStrike’s conduct has inflicted on Delta, its customers, and its people.
As I mentioned after the first CrowdStrike rebuttal, any compensation paid may well come down to contractual langauge and if there is no cap for gross negligence or willful misconduct, Delta at least has a case to make that CrowdStrike acted in such a manner.
- The PIR Confirms Your Tortious Conduct: Contrary to your letter, CrowdStrike’s Preliminary Post Incident Review (“PIR”) confirms that CrowdStrike engaged in grossly negligent, indeed willful, misconduct with respect to the Faulty Update. CrowdStrike’s PI admits that CrowdStrike did not properly validate or test the Faulty Update, relying instead on tests of other earlier-released components of its Falcon system. CrowdStrike’s Root Cause Analysis (“RCA”) of the Faulty Update, issued on August 6, 2024, admits that had it maintained basic software development, testing, and validation procedures, the July 19 disaster from the Faulty Update would not have occurred. Egregiously, there was no staged rollout to mitigate risk and CrowdStrike did not provide roll-back capabilities.
I find this to be quite compelling, if true: if CrowdStrike pushed this update globally and without proper testing, it cannot simply “apologize” for what happened.
- CrowdStrike Showed No Sense of Urgency or Appreciation for the Scale and Scope of the Damage It Caused: CrowdStrike also did not work “tirelessly” to help Delta restore its systems. CrowdStrike’s offers of assistance during the first 65 hours of the outage simply referred Delta to CrowdStrike’s publicly available remediation website, which instructed Delta to manually reboot every single affected machine. While CrowdStrike eventually offered a supposed automated solution on Sunday, July 21 at 5:27 pm ET, it introduced a second bug that prevented many machines from recovering without additional intervention.
Another very powerful point in Delta’s favor, if true. Referring Delta to its remediation website and telling it to just reboot every machine is not easy for a company with 37,000 computers spread all over the world.
- CrowdStrike’s Monday Evening Offer of Additional Support Was Too Late: CrowdStrike CEO George Kurtz’ single offer of support to Ed Bastian on the evening of Monday, July 22, was unhelpful and untimely. When made almost four days after the CrowdStrike disaster began–Delta had already restored its critical systems and most other machines. Many of the remaining machines were located in secure airport areas requiring government-mandated access clearance. By that time Delta’s confidence in CrowdStrike was naturally shaken.
Another strong point, if true. CrowdStrike claimed, “CrowdStrike’s CEO personally reached out to Delta’s CEO to offer onsite assistance, but received no response.” But if that overture came on day four, it really was too late to do any good…
- Delta’s IT Investments Resulted in Worldclass Operational Industry Performance: Delta rejects CrowdStrike’s misplaced attempt to shift responsibility for its failures to Delta’s “IT decisions and response to the outage.” First, those “decisions and response” had nothing to do with the cause of the outage. Moreover, for the last several years, including prior to and following its recovery from the Faulty Update, Delta’s operational reliability and customer service has led the airline industry. Delta has achieved its industry-leading reliability and service due, in part, to investing billions of dollars in information technology.
While Delta is correct that its IT systems “had nothing to do with the cause of the outage,” this again is not the issue…the issue is whether Delta’s IT systems had anything to do with the meltdown that followed. That remains to be seen. Delta claims that one reason it has been an industry-leader in operational reliability is because of its IT (not despite its IT) which does not strike me as a strong argument, though is not a surprising one.
- Reliance on CrowdStrike and Microsoft Was the Reason Delta Took Longer to Fully
Recover: Contrary to your misrepresentation of Delta’s technology, the reason for Delta’s disproportionate experience relative to other airlines, was its reliance on CrowdStrike and Microsoft. Approximately 60 percent of Delta’s mission-critical applications and their associated data–including Delta’s redundant backup systems–depend on the Microsoft Windows operating system and CrowdStrike. Delta has long regarded CrowdStrike and Microsoft as reliable technology providers. Delta’s reliance on CrowdStrike and Microsoft actually exacerbated its experience in the CrowdStrike-caused disaster.
This is a factual assertion: Delta says it performed so much worse than American or United because Delta relies more on CrowdStrike and Microsoft. I have no idea if that is true (in fact, I question whether it is), but this would come out in any litigation.
- CrowdStrike Caused the Disruption to Delta’s Crew Tracking System: The CrowdStrike disaster disrupted Delta’s operations resulting in thousands of crew members being dislocated from their scheduled assignments for an extended period of time. The resulting prolonged delay caused a massive amount of incomplete and inconsistent data to be delivered to Delta’s crew tracking system once it was finally restored. The magnitude of the backlog on the day of the disaster was substantially greater than any backlog resulting from prior disruptions and required several days to resolve. It required significant human intervention by skilled crew specialists to get Delta people and aircraft to the right locations to resume normal, safe operation. By July 24, Delta’s operations had fully stabilized to industry norms, and, by July 25, they had fully recovered to Delta’s targeted levels of reliability. However, the impact of CrowdStrike’s Faulty Update on Delta’s customers and crews between July 19 and July 23 was severe and substantial.
Here, Delta confirms that its own crew scheduling software was the true cause for the meltdown…with the important question now being the link between CrowdStrike and the crew scheduling software.
We are still working to understand the full extent of what CrowdStrike did (and didn’t do) that resulted in the disaster that everyone in the world other than CrowdStrike seems to know occurred. Rather than continuing to try to evade responsibility, I would hope that CrowdStrike
would immediately share everything it knows. It will all come out in litigation anyway. If CrowdStrike genuinely seeks to avoid a lawsuit by Delta, then it must accept real responsibility for its actions and compensate Delta for the severe damage it caused to Delta’s business, reputation, and goodwill.
Another strong letter from Delta that seems to accomplish two main things. First, it downplays the “we offered you help” defense that I never found convincing in the first place. Second, it does stake a causal link between CrowdStrike and its crew scheduling software. That seems to me to be the key fact and one that Microsoft has already questioned (suggesting it runs via IBM).
CONCLUSION
I don’t have a dog in this fight, but I do think Delta has a stronger argument (and that CrowdStrike will seek bankruptcy protection and Delta will never see the $500 million it wants). I also see a reasonable chance that Delta can prove gross negligence, though the link between CrowdStrike and its crew scheduling software remains an open question.
image: Delta
I’m not as impressed by the letter as you. It’s still trying to pin all the blame on CrowdStrike, but that’s not really the issue, I think. Everyone knows CrowdStrike caused an outage that had worldwide impact, and even that it’s response was far from adequate.
But it really doesn’t address the issue as why most everyone else (airlines and other business) were able to mostly recover in 1-2 days an Delta took one week. I’m sure there are companies as big or bigger than Delta that rely even more on Microsoft systems, and did not have a meltdown as big and as long as Delta had.
+1
This is a correct assessment. First Delta is hardly the only company that had negative effects. They just were the highest profile. They had a duty to mitigate and there is question whether DL did.
That is true and that will come out if this goes trial. I’m not convinced Delta did not do it all it could.
Doing all they could do after the fact isn’t the same as having mitigation plans in place. I still think the emperor is seen naked (Ed) after all of this.
This is fun . Like reading both the actor and the actress legal positions , in a big money divorce , written by the slimy Hollywood lawyers . However , instead of “Hollywood Confidential” , now it is “Airline IT Fussing and Slapping” .
This was what I was going to say. Screw delta trying to shift blame. If something wasn’t off on their side, they wouldn’t have still been limping along 4 days later when the entire rest of the developed world had already moved on.
+1
Delta is not the victim, passengers are. Funny how instead of issuing an actual apology and making things right for passengers, Delta does neither but makes the same demands from others. Nice attempt to shift blame. Again. But hey, at least Bastian got to ditch the problems to go see the Olympics because – priorities.
This will not end well for Delta. Their reputation, which was already exposed in 2022 and 2023 to be overstated, will continue to deteriorate. People have lost confidence in deltas reliability long before the Crowdstrike issue. The false narrative that delta is a premium airline let alone a lifestyle brand has been proven a fraud. No one likes a Bully and that is the M.O. of Bastian. Even if any lawsuit is successful crowdstike will BK their way out and Delta won’t see any money and will have further eroded their brand
Many different issues here. But I do believe Delta has fatal hubris, is not nearly as premium as it styles itself, and that CrowdStrike will escape most liability through BK.
That does not change my assessment, however, that CrowdStrike shares far more of the blame than Delta for the meltdown.
Your last comment is correct. However I would liken it to the assasination of Archduke Franz Ferdinand as the cause of WW1. Yes it was the spark and yet it bears the proximate responsibility. But to blame gavrilo princip for 20 million dead because he offed the Duke makes no rational sense. Lots of things could have and should have happened that pile blame on top of blame.
It wasn’t the “spark” … it was the “manipulated excuse” .
Same as a driver blaming his inattention accident , on the other driver for “being there” .
You are uninformed of CRWD financials, they have $3.7B in cash in their balance sheet and create $375M a Q in positive cash flow. Predicting BK takes away from your credibility even though the rest of your article is excellent.
Certainly not from the DL alone, but if DL is successful and everyone follows, then I do see a reorganization is possible.
Sounds like “Nah, I’m blaming all of my incompetence on you.” They’re only rebutting to CRWD because CRWD’s market cap is similar to theirs (actually doubled but I guess they’re going off on order of magnitude) so they think that they have a shot against them but not to MSFT because MSFT is at a market cap of 3 trillion.
My feeling is that DL is going to try to drag this out and try to aim for a settlement so that they can get some cash from them.
Sure, I think DL would be very happy with a settlement but I cannot escape my belief that CS owed a duty of care to DL and failed.
I agree that CRWD has liability with the initial crash that Friday, but DL seems to be blaming the extra four days or so on CRWD. That’s where DL’s argument falls apart.
The IT company ought to blame Delta’s lawyers for the outage .
As someone who’s been in the IT service provider space, I seriously question whether DL can actually pull off anything near the scale of what it’s hoping to accomplish in it’s letter.
There are limits of liability in every contract. More importantly, there are caps to the damage the vendor and customer mutually agree to.
This is because it’s certainly possible that a mistake by the IT vendor can far exceed the value of the contract, and it would be impossible for it to actually pay damages for.
I don’t see this being any different. No one in the IT space will go into a sale if their exposed to unlimited liability. This is especially true when the continued difficulty of DL’s operations is a result of their crew resource management system not being able to be brought back online after Crowdstrike provided remediation, the same remediation that other airlines impacted didn’t have as long lasting issues with.
Hell, DL uses its conditions of carriage as a shield to protect itself from just about all its own issues from their customers. Why would it expect Crowdstrike not to be protected?
@TooMany … +1 . Good analysis . And both parties are spending a lot on bush-league lawyers to entertain us with the back-and-forth . All in all , an entertaining and enjoyable diversion from both companies .
Shreds? There are only two issues here. (1) the liability cap, CrowdStrike says that contractually Delta can recover at most less than $10m, and Delta does not respond to this; (2) whether Delta can prove *gross* negligence, which is a very different standard than negligence.
There will be a modest settlement, of an undisclosed amount, and that Delta will use that lack of disclosure to claim vindication.
Both parties have smarmy excuses for their joint stupidity .
Matt, I thought DL is only going for $500m from CS, but CS might declare BK if they lose? Wouldn’t they have some sort of litigation reserve? That would be a pretty big hit for CS – big enough company to be in Nasdaq 100/S&P500, and about 8k employees. Ouch.
DL will recover, and I hope CS doesn’t go out of business either. I sort of want DL to lose due to its & CEO hubris, but then CS seems to have a little of it too.
Would be Ch. 11 instead of Ch. 7. CS will survive.
This is why a national no fly list that even can have names added by FAs is good from Delta’s standpoint. All Crowdstrike employees could be banned.
CrowdStrike Castle:
The Nobles (airlines) and Barons (banks) are not happy with the Sovereign (CrowdStrike). The draw bridge has been raised (nasty correspondence) and the Guards (bill by the hour attorneys) have been put on alert. Even the peasants (passengers) are in an uproar and have drawn their pitchforks (class action lawsuit).
The Prince (George Kurtz) is bedazzled as his own court (stockholders) have turned on him (another class action lawsuit). He looks to the neighboring monarchy (Microsoft) as an alliance. However, the Maharajah (Nadella) has his own revolt in play as the water in the well (source code) has been contaminated.
The King (Peter Buttigieg) has issued a decree (via X, formerly Twitter) reminding one of the Dukes (Ed Bastian) of his responsibility to shepherd his flock and not be distracted by the royal jousting (Olympics) and fair maiden (new girl friend).
An ill wind (litigation) has fallen across the glen (cybersecurity) as all look to protect their flanks as rumors of Vikings (corporates raiders) attaching from the North Sea (West Palm Beach) have swirled among the gentry. One realm (Southwest) is already under siege from the Norsemen (Elliott Investment).
The Town Crier (court docket) will come forthwith with any new pronouncements (preliminary hearings) in the days to come.
Excellent parody , ( except Pete will never be a “king” , as he is rather in another direction than “paternal” ).
I’d like to read more about the Duke’s “fair maiden” .
How about Delta committing gross negligence?
Delta sucks. You all suck.
Dude, CrowdStrike has a $50 Billion market cap. They’re not going bankrupt over a $500 million judgment. No same judge or jury would give Delta anywhere near the full amount. I’d give them damages for first 1-2 days and that’s it
First 8 hours. That’s how long almost every corp I know were down for.
The issue is what about the rest of the brood. All the banks, colleges, brokerage houses, airports, TV media, government agencies, the other airlines, etc, etc, etc. They will be looking for their share of any compensation.
Let’s not forget the stockholders of CrowdStrike have filed a class action suit against CrowStrike management. Also, what about Microsoft. By their nature, they will fight this tooth and nail.
The whole mess could take 5 to 7 years to settle.
I work in transportation tech, though not in aviation. Every contract I’ve ever seen has a limitation of liability, and it is usually very limited. And regardless of what the contract says or what a court might rule, it is best practice — not to mention common sense — to not rely on the foolish hope that one’s contractor will (1) never ever fall down and if they do (2) they will magically get back up and make things right.
Well run transportation companies know that Job One in IROPS is to recover and take care of the customers. United, AA, et al did; Delta not only did not but now prefers to point fingers rather than fix things. Again regardless of what a court might rule, Delta is quite needlessly harming its reputation.
I am in IT in an unrelated industry, and a long time Delta customer with long term status and well over 1 million miles onboard Delta… and as someone who traveled the week of the meltdown on several trips, and also had other employees stuck because of Delta’s botched recovery, I have an different take on this.
It would be better if Delta could focus their time and energy to learn from these failures in this incident introspectively. Their IT has historically been awful, and we’ve known this for decades. For long-term customers, this was apparent during the Delta acquisition of Northwest in 2008 where they pretty much dissolved NW’s IT systems which were far more advanced than Delta’s at the time and absorbed them into Delta’s awful legacy platforms. It’s also apparent even on a clear day with no major systemwide issues and you have a flight mishap, their agents are notorious for spending an hour or more with one customer to rebook them and their own people complain and apologize constantly to their customers that their computer systems are not easy to use, and don’t work on a good day. I’ve been told easily over 100 times by Delta employees that they are sorry but the computers aren’t working and sometimes it takes an hour and three to five employees to fix a relatively simple problem in a single itinerary.
They are approaching this wrong. Don’t hire a high priced fancy lawyer with a good reputation… hire a new CIO with some vision, or if you think your CIO is the person to get you where you *need* to be, drop everything and give them the resources they need to modernize and make sure this never happens again. Hire external consultants to help you learn how to modernize your ancient IT systems and develop a better IT environment that is more distributed and resilient. Develop better IT incident response plans.
CrowdStrike provided remediation instructions that were easy to read and understand very quickly after the onset of this issue, anyone with any basic IT skills could perform them. The idea that they could not quickly reboot their alleged tens of thousands “mission critical servers” is a rouse. Anything dubbed mission critical that your IT people can’t touch by hand should have alternate means for remote rebooting and remote console access, these tools have been available for two decades, and are in use by many companies large and small for anything “mission critical”.
Also the language that Microsoft and CrowdStrike “gained priority access” to Delta’s operation is also misplaced. Delta IT selected these vendors. It was Delta’s IT that married these two systems in conjunction with their applications. Delta was free to select other vendors, and quite frankly, given the shift to cloud based development and operations in the past decade by many other industries, they kind have missed the boat and have failed to modernize their internal IT ecosystems. Many industries do not use Windows anymore for mission critical back-end operations. Many companies have redundant IT Infrastructure they can fail over to in an instant during an incident like this. It’s all on Delta that they are in this position.
This statement Ed Bastian made should be made introspectively to their IT teams, not at Microsoft and CrowdStrike. “If you’re going to be having access, priority access, to the Delta ecosystem in terms of technology… You can’t come into a mission critical 24/7 operation and tell us we have a bug. It doesn’t work.” That quote should have been spoken internally to Delta IT. Delta selected the technology and ecosystem… Delta itself failed here.
Crying out loud that that Delta has spent billions in IT capital and operating expenses falls flat… you can spend billions on the wrong designs or people, and you can spend billions on maintaining legacy software or hardware solutions and not spend money wisely… just because they spend a lot on IT doesn’t mean they are spending wisely. Clearly they didn’t invest that into an effective IT recovery, and incident response plan. Investors should be upset that Delta leadership spent billions on IT and has little to show for it.
As a sidebar, all of Delta’s employees weren’t focused on the outage recovery. Many of them were tasked with the Olympics initiative, and it amazed me while the CEO whisked himself to France and tuned out the problem before it was resolved… It amazed me how the operation had no problem executing a series of distracting branding changes during this same week. I was traveling the week prior and the week of the incident, and I was a bit taken back on how obsessed they were executing their Olympics marketing strategy during this outage. Some of these strategies involved IT changes. The WiFi passwords changed to Olympic themed phrases, updating the in-flight seatback systems with promos and airplane navigation gimmicks, updated signage in the airports and lounges, cocktail napkins in the SkyClub and on board… special food and drink items that were French and Olympics themed. Special events and entertaining. If this outage was a true all hands on deck incident as they claim, these efforts should have been put on hold to focus resources on the outage recovery and picked back up after operations were restored. They were myopic with the Olympics and already complaining about the $100M loss they were facing due to reduced demand for travel to France (a business miscalculation on their part)… so focused on the Olympics, they completely botched their response to the the $500M+ outage.
I truly suspect the total cost for this mishap at Delta will be well over $500M. It’s a shame, and Delta needs to be reflecting internally how to do better rather than externally claiming they did nothing wrong
Let us not forget this is all the EU’s fault. They forced Microsoft to let firms like Crowdstrick have access to software that IOS and Android don’t (at least for now).
I’m the guy who normally revels in stories of Delta in misery. But this time I’m definitely siding with Delta –
CrowdStrike’s total lack of remorse, not just to Delta, but also to all its customers, could only leading to one ending scenario –
Crowdstrike filing Chapter 7.
The Empire CrowdStrikes Back !!!!