Delta officially launches lawyers at $500M CrowdStrike problem Delta Air Lines is suing CrowdStrike in a bid to recover the circa $500 million in estimated lost revenue months after the cybersecurity company "caused" an infamous global IT outage. Delta, a major US carrier, was among the most vocal victims of the outage in July, reporting thousands of canceled flights which affected more …
Whilst I agree, the fact Delta took so long to recover compared to others does seem to mitigate some of the blame, ie what many have already said about Deltas IT systems. Crowdstrike fucked up royally, but their fuckup highlighted a major weakness in Deltas systems that would have eventually shown up anyway through some other incident. I'm only marginally more on Deltas side in this than I am on the side of Crowdstrike. It feels like picking a side to cheer for when lawyers are suing each other :-)
Au contraire! It is not difficult to sue for lost revenue in the US or Canada when a direct link between the action (or inaction) of the perpetrator can be directly tied as the primary cause of the losses - an easy win in this case, though it'll be appealed for decades to come due to the size of the settlement.
"Delta caused a global catastrophe because it cut corners, took shortcuts..."
Firstly, in no way do I think that CS and MS shouldn't be held accountable.
But, coming from an enterprise architecture background, working in endpoint compute, *anything* we did to an endpoint was tested. Every iteration of Apple's OS betas throughout the summer was tested.
We had dev, stage and prod environments
Everything was tested with actual endpoint compute
We had roll back plans, and managed change windows
And this was NOT for an organisation where endpoint compute was so customer facing
So, for Delta to have just blindly allowed updates to happen makes them just as culpable as MS and CS
And what exactly makes Microsoft culpable here? CrowdStrike made a bad update and didn't test it. Delta installed that update and didn't have any plan for recovering if something went wrong. Microsoft was... also on the computer at the time. No, just because it was the Windows kernel that the faulty software attached to doesn't make Microsoft culpable. I've installed code into the Linux kernel which crashed it in the same way, but that's not Linux's fault. I also installed a piece of software on Windows that had a DRM module which required kernel access and didn't do good things with it. That was the fault of the creator of that DRM tool. I'm also happy to blame the sellers of the product that require the DRM module. Microsoft was not to blame for it.
If I understood correctly at the time, the "update" was pushed out from Crowdstike with no intervention or choice from those running the Crowdstrike agent.
There was no means of testing/staging before full production deployment.
So IMHO the culpable ones are Crowdstike.
I think this is the case(and hence the risk) with most security and AntiVirus products these days.
So does a lack of comprehensive testing and rollback plans equate to "gross negligence" or just negligence and a sloppy process? That's the $500M difference here. I've worked around software R&D for over two decades now and have witnessed more sloppy processes than not; that does not mean the intent was to crash the client's systems. It is difficult to prove gross negligence...
The popcorn futures are looking more and more interesting.
ClownStrike may well respond "aggressively" (I wouldn't expect anything less), but their failure has been rather well documented and I think any lawyer worth his salt will counter the feeble "their infra wasn't up to scratch" argument with ease.
Your job is not to count on your customer's infra and disaster recovery to ensure your business continuity.
This post has been deleted by its author
... and then suing the bungie jumping company for tying an elastic rope on you and throwing you of a bridge.
Everybody knew that such software is highly problematic. It's simply not a good idea to try to fix the problem of to much software by adding more software... particularly if that software is written by people who are not security minded.
I can understand private people being fooled by companies like this, but we are talking about a large company... with legal departments. Why didn't the legal department find the clauses that said that the software must not be used for critical applications? Why didn't any of the technical departments object to that sort of software? Why wasn't anything done when the Linux version of that software had, essentially, the same bug... some weeks before this?
What're the chances that any people who suffered actual damages from this massive outage will ever see even the smallest portion of any potential judgement or settlement?
Just as I don't really see any "good guys" on any side of this thing, nor do I see any actual "winners" either, apart from a bunch of lawyers, as usual.
"Bailiff ... kick these two nuts in the butt."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
