Delta Sues CrowdStrike for $500M Over Catastrophic Meltdown

Delta Air Lines is seeking more than $500 million in damages from cybersecurity company Crowdstrike over a “catastrophic” software update in July that crashed computer systems worldwide and forced the airline to cancel thousands of flights.

Delta said the July 19 incident downed computers across its network and led to the cancellation of 7,000 flights over five days, impacting 1.3 million travelers.

Photo: Delta Network Planning. Courtesy of Delta

The disruption cost the airline $380 million in lost revenue and $170 million in direct costs. It now wants those out-of-pocket losses reimbursed by Crowdstrike, alongside unspecified amounts for lost profits, attorneys fees, and “reputation harm and future revenue lost.” The airline has engaged high-profile lawyer David Boies to fight its case.

“CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised for its own benefit and profit,” Delta said in its complaint, filed Friday in Georgia’s Fulton County Superior Court.

“If CrowdStrike had tested the faulty update on even one computer before deployment, the computer would have crashed,” the suit continues. “Because the faulty update could not be removed remotely, CrowdStrike crippled Delta’s business and created immense delays for Delta customers.”

Delta also claims that it had disabled automatic updates from CrowdStrike but that the cybersecurity provider’s Falcon software created and used an authorized backdoor in Windows to push through the update, which Delta said would not have allowed.

Photo: Delta, Airbus A319. Courtesy of Simon Ray / Unsplash

Crowdstrike rejected the claims. A spokesperson said: “Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure.”

CrowdStrike has previously questioned why Delta was so slow to recover from the outage compared to other airlines and said its liability is “contractually capped” at under $10 million.

In an August letter, CrowdStrike attorney Michael Carlinsky said the then-threatened lawsuit hinged on “a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage.”

Delta maintains that it has invested billions “in licensing and building some of the best technology solutions in the airline industry.”

The U.S. Department of Transportation has also opened an investigation into the IT meltdown and the subsequent wave of flight cancellations.

Meanwhile, Crowdstrike has said it has implemented changes to prevent another outage of a similar scale, including no longer rolling out updates globally in one session and allowing customers to choose to be in the second or third wave of updates.