Delta Airlines Managing Cloud Security and Response to a Large-Scale Cybersecurity Outage: An Analysis Using a CrowdStrike Software Update
Delta was hit harder by the outage than most of its competitors. The airline was forced to cancel more than 5,000 flights as a result of the outage, which stymied businesses worldwide when a failed software update from CrowdStrike, a major cybersecurity firm, crashed operations for millions of users running Microsoft Windows devices.
Bastian said there was no choice but to take action against CrowdStrike. We are not going to wipe them out, but we should be compensated for what they cost us. Half a billion dollars in five days.
Delta was reliant on both CrowdStrike and Microsoft, said Bastian during his interview with CNBC. We got hit the hardest with the recovery capability because we were by far the heaviest in the industry.
Over the last seven days the carrier has only had more than 100 canceled flights as they are back up and running. Delta was left to recover from a lot of financial and reputational damage. It also faces an investigation by the U.S. Department of Transportation over its response to the outage.
Delta has not yet filed a suit, but comments made by Bastian could lead to litigation against CrowdStrike for the outage. Delta has already hired the prominent litigator David Boies, chairman of the firm Boies Schiller Flexner, in advance of a potential lawsuit, according to a source familiar with the decision who was not authorized to speak publicly.
“If you’re going to be having access, priority access to the Delta ecosystem in terms of technology, you’ve got to test the stuff. You can’t come into a mission-critical 24/7 operation and tell us we have a bug,” Bastian told CNBC.
Asked about a continuing relationship with Microsoft after the crash, Bastian said he regards it as “probably the most fragile platform” and asked the question, “When was the last time you heard of a big outage at Apple?” He placed some blame on the valuations of big tech companies, which lately have been lifted by generative AI hype, saying, “…they’re building the future, and they have to make sure they fortify the current.”
CrowdStrike shareholders filed a proposed class action lawsuit this week. The suit cites CrowdStrike CEO George Kurtz’s comments on a March 5th call that its software was “validated, tested, and certified.” CrowdStrike didn’t perform the same level of testing on Rapid Response Content updates as it did on other updates, and so its Content Validator checks failed to catch the bug that caused the global IT crash.
As described in Tom Warren’s recap of the events on the 19th, unlike Microsoft, Apple has in recent years restricted the access third-party developers have to the kernel of macOS. A Microsoft spokesman told The Wall Street Journal that it could not legally wall off its operating system in the same way Apple does because it reached an understanding with the European Commission. The European Commission disagrees, telling The Verge, “Microsoft is free to decide on its business model and to adapt its security infrastructure to respond to threats provided this is done in line with EU competition law.”