Two years ago, CrowdStrike pushed a Rapid Response Content update and it caused systems to crash. Microsoft says the update affected 8.5 million Windows devices.
Airlines were hit hard because so many operational systems were on affected devices. Delta alone cancelled 7,000 flights, and 1.3 million of their passengers were affected, costing them more than $500 million. Delta is suing CrowdStrike, but other airlines recovered far more quickly and CrowdStrike says that while issues were triggered by their upgrade, Delta flubbed the response.
7/20/2024 10:30 AM Travel Warning
Due to the global IT outage by @CrowdStrike on 7/19, my flight with @Delta at Hartsfield-Jackson Atlanta International Airport has been canceled twice (7/19 and 7/20). The airport is a ZOO, long lines at the lost baggage & customer service. pic.twitter.com/oGSolX74j5
— Ethan M. Cortazzo (@Ethan_Cortazzo1) July 20, 2024
I live at the airport now. Thanks, @Delta! ✈️ pic.twitter.com/x8F6MLTcso
— Liz Skalka (@lizskalka) July 20, 2024
But passengers are suing CrowdStrike, too., pleading negligence, California Unfair Competition Law claims for California residents, and public nuisance for residents of Ohio and Pennsylvania.
- CrowdStrike allegedly owed passengers a duty to use reasonable care in maintaining, operating, and updating systems but failed to design, test, validate, control, monitor, and audit the update. They knew it was used in critical infrastructure, and their mistake foreseeably caused widespread airline IT outages and flight delays and cancellations.
- That imposed costs on passengers for replacement flights, hotels, meals, lost wages, vacation days, etc. There was also anxiety, chest pains, and headaches and passengers sleeping uncomfortably on the floor of airports.
- But the case was initially dismissed – not because CrowdStrike wasn’t at fault, but because the claims are precluded by the Airline Deregulation Act.
This strikes at a core theme I frequently highlight – that deregulation was good overall, but that it also created too great of a liability shield. It usually just protects airlines from negilgently abusing passengers, but here that’s extended to a software company.
The Airline Deregulation Act preempts state laws “related to a price, route, or service of an air carrier.” In the Fifth Circuit, “services” is interpreted broadly to include ticketing, boarding, food and beverage, baggage handling, as well as the transportation itself.
- If the suit were against the airlines, it would be preempted because it’s about flight delays, cancellations, rebooking, etc. Suing CrowdStrike instead is preempted because it still relates to airline services.
- The suit is that airlines relied on CrowdStrike to support their essential systems, and that passengers relied on CrowdStrike to reliably help keep everything flying as scheduled. The outage affected aircraft weight and balance calculations, check-in, and call center systems. That’s all part and parcel of airline services covered by ADA preemption.
- State tort liability against an airline cybersecurity vendor could significantly affect airline services by changing vendor practices, airline cybersecurity procurement, pricing, and ultimately therefore airline service economics. Basically if you touch anything in the airline supply chain, it might affect prices airlines pay and therefore what services they provide or what those services cost. That’s a very expansive read.
- You can still generally sue airlines for personal injury tied to aircraft operation and maintenance. But damages here are for a service disruption.
The passengers are now seeking a rehearing en banc to overturn the dismissal.
They want the court to consider CrowdStrike’s generic software duty, not the specifically at airline effects. This wasn’t a product targeted specifically at airlines. CrowdStrike, though, says that everything in the suit is predicated on airline services, and that their alleged duty is keeping planes flying. That’s all stuff left to federal regulation, and that Congress said couldn’t be litigated under state laws.
Under the law it seems like CrowdStrike has the stronger argument, and that’s a problem, because it extends a liability shield that’s already too broad to more companies. I’m not even sure the plaintiffs get the rehearing en banc though I think it’s an exceptionally important question that would warrant one. The dismissal logic is a broad shield that non-airline vendors whenever airline passengers are harmed by their conduct.
Delta can sue. Passengers cannot. I’m not sure that’s a result which makes sense.
Let us not forget that this could only have happened because the idiotic EU forced Microdoft to give others access to Windows.
Well, good luck to Delta on recovering from CrowdStrike for contract breach and gross negligence… as for passengers, it sure would be nice if the U.S. had mandatory regulations that ensured compensation for excessive delays and cancellations within an airline’s control (cough, UK/EU261, Canada’s APPR, etc.) A vendor outage should absolutely be deemed ‘controllable’…airlines choose and rely on these service providers, unlike an act of God such as severe weather…
@This comes to mind — Oh, so, trying to let CrowdStrike off-the-hook, eh? Naw, they messed up. It’s not the EU’s fault that they have a anti-monopoly rule from 2009. C’mon man…
@This comes to mind
The problem is bad software design and failure to isolate level 0 faults. And the idiocy is in anyone who wants Defender to be the only AV available on Windows, or only knows enough to say ‘EU bad’
A Premium Meltdown by Delta
Good – nice that reason prevails and greedy people (and their ambulance chasers) can’t get a pay day. Stuff happens people so deal with it and that doesn’t mean someone owes you money!
@Retired Gambler — Translation: “I got mine!” *pulls ladder up*
Yeah, screw those ‘greedy’ passengers, whose flights were cancelled, took on great personal expense to get to where they needed to go, after the airline and its service provider failed them… /s
(Oh, and throwing in a ‘lawyers-bad’… you got ’em so good…)
The bigger problem is using a general-purpose consumer-grade software platform as opposed to purpose-built solutions (i.e. specialized controllers with hardened embedded software for flight-status displays, dedicated secure clients such as IGEL for workstations, etc.) and then trying to add on a dodgy “EDR” platform to make up for it.
Doing things right costs money. Doing things cheap has consequences.
Yes, I was in Atlanta for Crowd strike, because European airlines somehow managed to recover quickly.
No, I don’t feel like Delta even came close to doing their part, at the time or afterwards. To be fair, they reimbursed my night in the flophouse and breakfast (thank you, EU), but never the downgrade or the avoid ability claim.
No, I won’t pursue the matter further. It’s easier for me not to fly Delta if I can avoid it, and yes, to explain my experience to strangers. You had your chance, now I’ve got to work quietly to ensure the pain you visit upon me is returned hundred-fold.
@Bubba — Never stop. You deserved better. Please also consider advocating for air passenger rights, like an EU-261-equivalent in the US (or at least bringing back Rule 240, where carriers had to get you on the next available flight, even if it’s with a competitor).