Delta and CrowdStrike sued each other for damages following public arguments two months ago over which side was responsible for $500 million in revenue lost by the airline during the IT company’s outages over the summer.
A global IT outage on July 19 halted thousands of flights around the world due to a faulty update by the cybersecurity company, which impacted Microsoft operating systems. Delta was one of the last airlines to recover from the incident, which negatively impacted earnings for its third quarter.
A Blame Game
One page from a Fulton County, Georgia, court document posted to X/Twitter by aviation reporter Edward Russell on Friday showed Delta sued CrowdStrike for several offenses, including computer trespass, breach of contract, product defect, gross negligence and more.
In letters sent between the two companies publicly posted by reporters on X/Twitter, Delta previously alleged that CrowdStrike showed no sense of urgency for the damage it caused, and the company’s offers to assist the airline were too late.
AirlineGeeks reached out to the Superior Court of Fulton County requesting a full copy of the complaint issued by Delta. AirlineGeeks also reached out to Delta for additional comments.
Reuters reported CrowdStrike sued Delta in the U.S. District Court for the Northern District of Georgia on Friday stating the carrier’s own response and technology caused delays in its ability to resume operations.
In a copy of CrowdStrike’s complaint obtained by AirlineGeeks, Crowdstrike stated that it moved as quickly as possible to remediate issues caused by a faulty update immediately after the incident. This included reverting the July 19 update 78 minutes after it was first deployed and working with customers to bring systems online as quickly as possible.
On July 22, CrowdStrike said it pushed automated techniques to speed up these repairs.
CrowdStrike stated that Delta’s delayed outage “has drawn regulatory scrutiny and raises concerns with respect to its compliance to federal statutes, rules and regulations.”
CrowdStrike said that as of March 7, 2023, the Transportation Security Administration (TSA) required Delta and other aircraft operators to “[d]evelop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa.”
CrowdStrike alleged Delta’s delayed recovery was the result of non-compliance with the TSA’s March 7, 2023 cybersecurity amendment.
“While we aimed to reach a business resolution that puts customers first, Delta has chosen a different path,” a CrowdStrike spokesperson told AirlineGeeks in an emailed statement. “Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure. We have filed for a declaratory judgment to make it clear that CrowdStrike did not cause the harm that Delta claims and they repeatedly refused assistance from both CrowdStrike and Microsoft. Any claims of gross negligence and willful misconduct have no basis in fact.”
