Delta Can Sue CrowdStrike Over Global Outage That Caused 7,000 Canceled Flights

Delta can pursue much of its lawsuit seeking to hold cybersecurity company CrowdStrike liable for a massive computer outage last July that caused the carrier to cancel 7,000 flights, a Georgia state judge ruled. From a report: In a decision on Friday, Judge Kelly Lee Ellerbe of the Fulton County Superior Court said Delta can try to prove CrowdStrike was grossly negligent in pushing a defective update of its Falcon software to customers, crashing more than 8 million Microsoft Windows-based computers worldwide.

Re:

[thegarbz]

Did you just do math with the assumption that each plane is a private jet flying precisely one paying customer?

Re:

[bjoast]

The AC has successfully outed himself as an out of touch billionaire.

Re: Why?

[bradley13]

Math? 7000 flights * number of passengers * ticket price? Plus the costs associated with fixing the mess made of all those people's travel plans, which likely includes a lot of hotel bills. You are likely looking at hundreds of millions in direct and indirect costs.

Re:

[sensei moreh]

Delta did pay for my group's meals and hotel rooms. That bill was more than the price of our tickets.

Re:Why?

[jacks smirking reven]

It's not simply the ticket costs, you have fuel, staff, overtime, customer payouts and make good flights (many of which likely are not full profitable flights as intended), gate fees (now you have to shuffle your entire fleet around off your schedule and airlines are extremely diligent about their scheduling, it's a scheduling business, every plane is expected to be in certain places at certain times) plus reputational damage.

Part of a lawsuit like this is the plaintiff has to (somewhat) justify the money it's asking and I am sure Delta's lawyers have all those points and financial statements and more in their briefing to the court.

Re: Why?

[tiananmen tank man]

Part of the ticket costs go towards the fuel, workers, etc.

Re:

[jacks smirking reven]

Yeah and now you have to pay all those people more than they were originally supposed to, they had to deal with much of the work for the original flights, undoing those flights and redoing them. What are you saying?

Re: Why?

[anonymouscoward52236]

Is it really unfair reputational damage if they didn't have proper dev/prod testing of patches? Lol.....

Re:

[jacks smirking reven]

That's up the judge

Re:

[thegarbz]

It's not simply the ticket costs

Even if it were just the ticket costs you could easily get to $500m if you assume that more than one person flies on each plane. I mean the OP got to $14million assuming just a single passenger each time with their math.

Re:Why?

[stabiesoft]

You missed x #passengers/flight. Assume 100. So now 7K flights x 2K/person x 100 persons/flight = 1.4B As to were they liable. Imagine if Boeing just shipped new plane types without bothering to test them. Its bad already. Imagine with no testing! That was crowdstrike, no testing, just ship it. I'm hoping they get hit hard. Software used to be used to add up spreadsheets and other fairly simple stuff that pretty much got verified. Over the decades, software has turned into what critical systems run on. Unfortunately the QA standards have gotten worse, which seems almost impossible, and yet here we are.

Re:

[ac22]

The carrier sued Austin, Texas-based CrowdStrike three months after the July 19, 2024 outage disrupted travel for 1.4 million Delta passengers.
Delta has said the outage cost $550 million in lost revenue and added expenses, offset by $50 million of fuel savings.

TFA gives the relevant numbers.

https://www.reuters.com/sustai... [reuters.com]

Re:

[MachineShedFred]

You really suck at math.

Delta is a commercial carrier, operating:
- small regional jets with ~70 seats, such as the Bombardier CRJ-900 [delta.com] and the Embraer ERJ-175 [delta.com]
- large twin-engine jets with ~180 seats, such as the Boeing 737-900ER [delta.com] and the Airbus A321Neo [delta.com]
- wide-body jets with ~240 seats, such as the Boeing 767-400ER [delta.com] and the Airbus A330-900 [delta.com]

They also operate private charter flights, but the majority of their business is in large passenger jet travel.

Also, unless traveling over an ocean, who's paying $2000 a ticket

Maybe they'll face some consequences now?

[jacks smirking reven]

CRWD
July 16 2024: $337
Low Point, Aug 2 2024: $218
Feb 19 2025, new all-time-high: $450
Today: $442

To have the most public IT meltdown in recent memory that was caused by an admitted mistake by the company to only 6 months later hit an all time stock price and go on a 6 month rise in value.

Maybe they really turned it around their fundamentals in a ublic and transparent manner but really I think this speaks to something in terms of how we value what companies do and how to quantify that through the market.

If you're the C class at Crowdstrike you're not getting fired you're getting a big fat bonus check.

Re:

[ArchieBunker]

The rich getting richer at the expense of the masses.

Re:

[GoTeam]

The rich getting richer at the expense of the masses.

If you keep your mouth shut and toe the company line, someday you might be invited to be a corrupt c-level!

Re:

[Z00L00K]

It was a long time ago we saw the events of SQL Slammer, Melissa and other similar worms that were disruptive but at least mostly harmless. No ransomware or similar, just bugging IT crews.

Re:

[thegarbz]

Well they can thank us. After all the Slashdot hivemind was very quick to blame this on Microsoft's architecture so why would their stock price drop. People need to acknowledge it was their fault first, and we can't even agree to do that here, among the tech heads. Even when we pointed out crowdstrike caused a Red Hat boot loop a while back people still parroted the idea that this was Microsoft's fault.

But in any case they won't face consequences. Delta can bring a lawsuit, but they won't win anything meani

Precidents

[Virtucon]

If Delta ultimately wins based on its claims, that will have interesting consequences for enterprise software vendors (ESVs).
Even if it doesn't, ESVs will be reworking their EULAs and contracts to reflect that they can't be held liable for the performance of their software on
business operations. It'll be fun to watch the case progress and what the EULA terms limit Crowdstrike's liability.

IBM did lose a case to Lufkin Ind.. for $23m and this case is about 24 times that amount.

Re:Precidents

[aaarrrgggh]

You missed the part of Gross Negligence. You can't EULA-away (or even a formal contract) liability for gross negligence.

Re:

[Virtucon]

Criminal Negligence sure, I don't think from an EULA perspective you can hold a vendor harmless.
Here's a boilerplate from a doc that I use:

Indemnification and Limitation of Liability
The End User agrees to indemnify, defend, and hold harmless [Software Company Name], its affiliates, officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses, including reasonable attorney fees, arising out of or in any way connected with the use of the software. Under no circumstances shall [Software Company Name] be liable for any indirect, incidental, special, or consequential damages, including but not limited to loss of data, business interruption, or lost profits, even if advised of the possibility of such damages.

Re:

[jaa101]

Criminal Negligence sure

Gross negligence is just a greater degree of negligence, commonly described by words like wilful, wanton and reckless. Criminal is worse, e.g., involving intent to do harm. Not that there aren't contexts in which gross negligence is criminal, like in situations where there's a risk of injury or death. This is part of the reason some software companies ban the use of their products in medical and nuclear fields.

Re:

[Cassini2]

I recall reading a Microsoft Excel EULA that said:

Microsoft doesn't guarantee the software is fit for any particular purpose, including the one for which it was intended.

I never forgot that disclaimer. It was so true.

The current Azure license [microsoft.com] states:

THE SOFTWARE IS LICENSED “AS IS.” YOU BEAR THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. TO THE EXTENT PERMITTED UNDER APPLICABLE LAWS, MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY,

Re:

[Luckyo]

>TO THE EXTENT PERMITTED UNDER APPLICABLE LAWS

It's literally in the text you quote. Gross negligence and its analogues are almost universally considered something you cannot waiver yourself from. That's the difference from normal negligence.

The idea here is that you can waiver the "we did our best effort and it failed", because there are many cases where you cannot ask more than best effort from people without being utterly unreasonable.

On the other hand it's the exact opposite with gross negligence. Tha

Re:

[MachineShedFred]

They also apparently don't even mean to imply that the software is fit to be sold at all, if I'm reading that right.

Re:

[thegarbz]

You missed the part of Gross Negligence. You can't EULA-away (or even a formal contract) liability for gross negligence.

Except you missed the part that this isn't proven, and it will be an insanely difficult bar to beat since proving gross negligence is very difficult (willful, wonton, and reckless conduct). And... even if you do, Delta showed that much of their costs were their own incompetence. There's a reason the entire rest of the airline industry was pretty much operating again the same afternoon, while Delta was grounded for several days. - A lack of a business continuity plan is not the fault of someone else.

I wouldn

Re:

[strikethree]

You missed the part of Gross Negligence. You can't EULA-away (or even a formal contract) liability for gross negligence.

The truth of that statement remains to be seen. It is going through court right now.

Re:

[Growlley]

This software is intended for entertainment puposes only - thets is no warranty or liability for any use beyond that etc etc what ever the standard bolier plate is lawyers charge you for by the word.

Re:

[gweihir]

It is past time for vendor liability. At least when they cannot prove they followed the state-of-the-art, i.e. simple negligence. What CrowdStike did was inexcusable and did follow nothing. Tech has to be reliable and messing up badly must have real consequences for the ones doing it.

Re:

[jamesL70]

This what you get when a grossly incompetent Enterprise Software Vendor shoves garbage out to millions of computers. Delta was only one customer of many affected.

Re:

[thegarbz]

Delta was only one customer of many affected.

Be that as it may Delta was uniquely affected. Their own lack of business continuity planning caused most of the loss. Most other airlines were operating again by the afternoon, Delta was downed for days.

Re:

[Tony Isaac]

In this case, they weren't using the "cheap" option, CrowdStrike was not that. Negligent, yes, but not cheap.

In Delta's defense, nobody thinks the vendors they use, will be THAT negligent.

Re: I really can't sympathize with Delta

[transwarp]

Delta specifically were down for days because they couldn't do a cold start of their databases. Southwest was back up fastest because they had modernized and their systems came up gracefully instead of a thundering herd. The others took one day for daily batch jobs to run.

Re:

[Tony Isaac]

That's a funny take, to suggest that Southwest had the "modern" solution. Southwest has been known for a long time, to have antiquated systems. I think *that* is actually what protected them in this case.

And the CrowdStrike-protected computers, wouldn't boot. It wasn't just the databases that didn't come up, it was the host itself.

Re:

[transwarp]

Delta was down for most of a week, while their competitors were up in a day, because they had no way to bring up all their computers in a way where they didn't immediately crash each other. The terminals would overwhelm the databases, and then the terminals would hang. Most airlines didn't have this problem, so as they got their computers booting again, the network slowly came back online and back in sync.

Southwest specifically updated their systems in the last decade because of a previous outage. The "t

Re:

[Tony Isaac]

they had no way to bring up all their computers in a way where they didn't immediately crash each other

This is not a correct assessment. In actuality, the servers themselves either experienced a BSOD or went into OS recovery mode, due to the fault in the CrowdStrike kernel-level driver.

https://www.messageware.com/wh... [messageware.com].

This had nothing to do with terminals "overwhelming the databases."

Re: I really can't sympathize with Delta

[transwarp]

The BSODs happened to everyone globally. It was only Delta who had their application layer, including the terminal emulators talking to the non Windows databases, suffer cascading failures after they'd restored Windows.

Delta had a completely unrelated latent system design problem that meant they could not recover from the systems all going down at once.

Re:

[Tony Isaac]

So essentially, your gripe with Delta is that they deployed CrowdStrike more broadly than other airlines. Got it.

This is not the same as having a more or less "modern" infrastructure.

Re: I really can't sympathize with Delta

[transwarp]

No. Crowdstrike took down all Windows machines. It took hours to a day to get most of them back up for everyone.

Southwest's application stack was most resilient and they had booking systems up and running within the day. Other airlines had their application layer synced overnight.

Delta's application layer could not recover. If all their computers had rebooted at nearly the same time, they'd have the same situation where they were offline for days. Those cascading failures had nothing to do with the in

GEORGIA document filing is a joke

[gavron]

Signed up on Fulton County Superior Court web search thing. Added credit card.

The original complain shows 0 pages, a cost of $0, and generated a
"Server Error in '/EPayments' Application with a long-ass stack trace.

Half the docket documents yield the same result.

If Reuters can't pull it up and the rest of can't pull it off. Well. What a peach.

E

Almost feel sorry for Delta's CIO

[laughingskeptic]

Delta is going to have to prove the impossible which is that the bulk of their damages were not self-inflicted. Everyone else in the world was up and running again in 24 hours ... except Delta. If this ever made it to a jury they will be tasked with weighing the relative incompetence of the two companies and through discovery CrowdStrike is going to be able to root around and find every embarrassing thing about Delta's IT org. Delta may be the plaintiff, but they aren't going to have that much to attack

Re:

[sound+vision]

Both were grossly negligent. I would assign 80% of the blame to Delta and 20% to Clownstrike.

Most of the blame goes to Delta because they could have unilaterally established a contingency plan within their business, akin to what the other airlines were able to pull off. But the Clowns struck with negligence as well. They had a shitty process, and knew it could cause major damage for their clients.

The spread in damages between their different clients, which were all hit with the same issue, shows that some c

Lawyers Win

[skogs]

The only people winning here are the lawyers.
They get fat fee, from Delta.

Delta - will end up publicly admitting that their ultra important daily driver of their entire business can be ruined by some random outside trusted agent over a direct internet connection. This is most certainly not in their risk management plan this way, and clearly wasn't a part of their recovery plan either.
The gross negligent party is whoever let their core traffic servers pull this shit down without testing first, or at least non-critical systems first.

Sure crowdstrike messed up, but that is exactly what insurance is for. The only people hurt will be the normies that pay for cyber and other insurance tools.

Re:

[jaa101]

their entire business can be ruined by some random outside trusted agent

Well it's either that or have no anti-virus. In this case, other companies recovered faster than Delta, but it would be easy for AV software to screw up much worse and trash all the hosts to the point of requiring OS reinstallation. That's going to be very bad for any large business.

Re:

[skogs]

Falcon is no mere 2000s style antivirus. I wish it were that easy. Each of these massive clusterfuck IDPS/SIEM/EDR systems that use the word cloud in their marketing probably do reach criminal negligence level ... but nobody can prove that in court. The cure really does seem worse than the illness sometimes. The closer you look, the worse it becomes.

I don't get it

[JeffOwl]

What is so great or unique about this product that so many multi-billion dollar corporations are STILL putting all their eggs in that one basket? Are they buying off all the CTOs? Do they have compromising pictures of other C-Suite execs? What are they doing that these companies couldn't figure out an alternate solution?

Re:

[gweihir]

Usually, you can trust a technology provider to work to some reasonable standards of quality. And for any other engineering product besides software, that is true. In particulat CrowdStike comitted negligence that could not have been any more gross. In a normal engineering outfit, that would probably get people sent to prison. With software, nothing happens. And that is just wrong and totally unsustainable.

WINDOWS has been a security nightmare

[gavron]

> What is so great and unique about this product...

If you insist on using Windows, Clownstrike [thanks for that OP] helps it stay just a little behind the threat.

However, there ARE mitigation techniques, and Delta wasn't following them. You have a duty to mitigate your damages.
That's liability law.

E

Excellent

[gweihir]

Delta has some deficiencies in their BCM and DR, but CrowdStrike comitted negligence that could hardly have been any more gross. And crap like that needs to stop. We cannot have providers or critical tech with no accountability and no liability.

Re:

[dsgrntlxmply]

In telecom equipment, after thoroughly testing a new release build, and the upgrade process and interoperability from a set of approved previous versions, our customers followed the practice of independently testing the build and upgrade in their own lab, then on a small trial subset of live nodes, before pushing the upgrade to general availability.

Re:

[gweihir]

And that is what you do for cricial technology. Any of that would have prevented teh CrowdStrike disaster nicely. But they are far too busy getting rich to care about making reasonable technology. And not even the market is punishing them for their abject failure. That has to stop.

Re:

[Bahbus]

Deficiencies? No. They have straight incompetence almost on the level of CrowdStrike itself. Delta's BCM and DR was, and probably still is, complete garbage.

Don't Expect Much

[Bahbus]

CrowdStrike pushed a negligent update, sure, but Delta was down for way longer than they should have been and also refused help because of their own negligence and incompetence.

CrowdStrike liable for computer outage

[Mirnotoriety]

How about holding the designers of the computer Operating System liable for the outage. A consumer product not suitable for running critical infrastructure on.

Re:

[Growlley]

whol held a gun to the commercial operators head and said you have to use thos prodduct- except it jits their profits to do anything else?