After Delta Air Lines served CrowdStrike Holdings Inc. with a lawsuit last week, CrowdStrike retaliated with a counter lawsuit filed in Fulton County Superior Court.
In light of the global IT outage this past July, CrowdStrike claims that the airline failed to uphold security standards, including failing to update firmware. The latest lawsuit claims that Delta’s own actions compromised thousands of passwords in its systems.
The CrowdStrike outage occurred during a universal firmware update on 19 July that automatically took place involving all CrowdStrike Falcon security programs connected to the internet. Due to a glitch causing Microsoft systems to function, various airlines that implemented Falcon were affected, with Delta alone having to cancel more than 5,000 flights over a span of a week.
Delta and CrowdStrike Clash in Court
Both Delta and CrowdStrike filed their lawsuit within hours of one another, with Delta submitting their complaint in court on 25 October and CrowdStrike filing later in the day.
Delta is seeking $500 million from CrowdStrike in damages affected by the IT outage, in addition to legal fees and punitive expenses. Delta’s lawsuit argues that CrowdStrike “cut corners and took shortcuts” and “caused a global catastrophe” as a result. The airline claims that it lost $380 million in customer refunds and $170 million for maintenance expenses.
CrowdStrike’s civil complaint defended the company’s actions, explaining how lingering issues on Delta’s end were caused by the airline’s own infrastructure. CrowdStrike also cited that other airlines have managed to recover faster from the July outage compared to Delta.
A CrowdStrike representative commented further on Delta’s claims to Law360:
“Delta’s claims are based on proven disinformation, demonstrate a lack of understanding of how modern cybersecurity works and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure.”
Additional Notes From Delta and CrowdStrike
Microsoft appears to have partaken in CrowdStrike’s lawsuit, repeating the sentiments of the IT security company. Back in late July, Delta Air Lines CEO Ed Bastian expressed plans to also sue Microsoft, but the lawsuit never materialized.
CrowdStrike’s attorneys have also pointed out that there’s a special compensation clause in the three-year contract signed by both parties in 2022. The clause cites that any compensation that CrowdStrike owes to Delta is limited to “twice the fee for CrowdStrike’s services”.
Boies Schiller Flexner LLP and Dondurant Mixson & Elmore LLP are representing Delta Air Lines. CrowdStrike has hired law firm Quinn Emanuel Urquhart & Sullivan for these ongoing legal proceedings.
As a response to CrowdStrike’s counter lawsuit, a Delta representative called the lawsuit “meritless” in a message to CIO Dive. The airline plans to file a motion to dismiss the lawsuit.
CrowdStrike is proposing for a declaratory judgment to prohibit Delta from demanding monetary damages from the security company.
Other Legal Struggles
Delta Air Lines has settled a class action lawsuit filed by customers that claimed the airline had mishandled the IT outage. The customers claimed to have had to pay even more money for air fares from competitors, meals, and rental cars due to negligence by Delta.
The class action lawsuit states that Delta failed to recover from the CrowdStrike outage, leaving passengers stranded at airports across the globe.
Investors have also labeled CrowdStrike a defendant in a separate legal battle that began weeks after the worldwide outage. The Plymouth County Retirement Association filed a class action lawsuit against the tech company in Austin, Texas.
In March 2024, CEO George Kurtz made claims to investors that the company tested and certified his software, with the association stating that Kurtz’ words were “false and misleading”. A CrowdStrike spokesperson responded to the lawsuit at the time, stating the company will aggressively defend the case.
