IT security services firm Crowdstrike has filed a counter lawsuit against Delta Air Lines in an Atlanta federal court, claiming the carrier failed to follow security best practices, has outdated IT systems, and thousands of compromised passwords that impacted its ability to recover from a global outage in July.
Delta is seeking to recover the full costs of the outage and resulting operational meltdown that left tens of thousands of passengers stranded for nearly a week as the beleaguered airline canceled more than 5,000 flights after it lost track of its pilots and flight attendants.
The outage, which was caused by a faulty software update that was remotely pushed to computers running Crowdstrike’s Falcon security system, affected hospitals, supermarkets, banks, and many other businesses around the world.
Unlike nearly every other company affected by the outage, however, Delta struggled to recover, and issues dragged on for days.
Delta has maintained that Crowdstrike is solely responsible for its operational woes in the wake of the failed software update but Crowdstrike says it was the airline’s “own response and IT infrastructure that caused delays in Delta’s ability to resume normal operation, resulting in a longer recovery period than other major airlines.”
“In light of Delta’s threatened legal action, CrowdStrike brings this action to make clear that CrowdStrike in no way acted grossly negligent or committed willful misconduct and certainly did not cause the harm that Delta claims,” the civil complaint against Delta continues.
Crowdstrike contends that it took prompt action to remediate the bug-ridden software update and ‘diligently’ worked with customers, including Delta, to get their systems back up and running.
Attorneys representing Crowdstrike now claim Delta failed to recover from the outage because of ‘non-compliance’ with federal cybersecurity regulations, along with “technological shortcomings and failures to follow security best practices, including outdated IT systems, issues in Delta’s active directory environment, and thousands of compromised passwords.”
Crowdstrike engineers also found a custom IT script running daily on thousands of Delta’s computers, which the complaint alleges indicates the airline was aware of a “lack of proper hygiene in its systems.”
Last week, Delta filed a lawsuit in a Fulton County court seeking to recover $500 million from Crowdstrike in losses that it racked up during the meltdown, which includes $380 million in customer refunds and compensation and $170 million in additional expenses (save $50 million in fuel costs).
Crowdstike contends, however, that any compensation it owes to Delta is limited by a contract that the airline signed in 2022 for a period of three years. The agreement limits compensation to just two times the fee for the Crowdstrike service.
The complaint is demanding a jury trial to decide whether a declaratory judgment should be awarded to Crowdstrike, limiting Delta’s ability to demand monetary damages.
