CrowdStrike Strikes Back at Delta, Calls Lawsuit Threat ‘Meritless’

CrowdStrike has responded to Delta Air Lines’ reported lawsuit pursuit, calling any legal action “meritless” after last month’s faulty Falcon update caused massive disruptions the airline claims will cost them more than $500 million.

The update snafu caused more than 8.5 million Microsoft Windows machines to display the dreaded “Blue Screen of Death” globally, massively impacting transportation and critical services in a historic IT outage. The outage needed to be addressed by technical staff machine by machine and it took days to recover. Delta was hit particularly hard.

Delta CEO Ed Bastian went on CNBC’s Squawk Box and said the company had “no choice” but to pursue a lawsuit after canceling more than 5,400 flights over five days because of the outage. Bastian confirmed that his company had contacted prominent attorney David Boies to seek damages from Microsoft and CrowdStrike in response to the outage.

But a CrowdStrike spokesperson says any potential lawsuit won’t stand up in court. “We have expressed our regret and apologies to all of our customers for this incident and the disruption that resulted,” the spokesperson says in a statement emailed to InformationWeek. “Public posturing about potentially bringing a meritless lawsuit against CrowdStrike as a long-time partner is not constructive to any party. We hope that Delta will agree to work cooperatively to find a resolution.”

Related:CrowdStrike Aftermath: Lessons Learned for Future Recovery

According to a letter from CrowdStrike attorneys addressed to Boies, the software company’s liability is contractually capped at an amount “in the single-digit millions” and said Delta’s response to the outage was also to blame. “Delta’s public threat of litigation … has contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage,” wrote Michael B. Carlinsky, an attorney with Quinn Emanuel Trial Lawyers.

He added, “Should Delta pursue this path, Delta will have to explain to the public, its shareholders and ultimately a jury why CrowdStrike took responsibility for its actions -- swiftly, transparently, and constructively -- while Delta did not.”

The letter says Delta ignored offers to help from the CrowdStrike team, including a personal offer from CrowdStrike CEO George Kurtz to Delta’s Bastian. “Within hours of the incident, CrowdStrike reached out to Delta to offer assistance and ensure Delta was aware of an available remediation.”

Why CrowdStrike’s EULA Could be a Shield

CrowdStrike, like other software companies, requires customers to sign an end-user licensing agreement (EULA) that limits the company’s liability after an incident. Brian Fox, CTO at software supply chain management company Sonatype, said such a high-profile case could create changes to contract law that would force vendors to share responsibility for such incidents.

Related:CrowdStrike Facing Lawsuits After Global IT Outage

“Years ago, you couldn’t sue an auto manufacturer or food manufacturer because you didn’t have a contractual relationship directly with the manufacturer … and when those things went to court, society decided that’s ridiculous… and they can’t disclaim that liability. And that’s ultimately where I think the software industry is today. To balance that out, you also can’t get to a place where software vendors have to take the entire risk.”

Fox says an incident of this magnitude is likely not the last time the issue will come up. “I think it’s going to be messy, but the publicity that this is getting, even if it doesn’t end up going to trial, is generally going to be helpful in pushing this conversation forward.”

InformationWeek has reached out to Delta and will update with any response.