Delta Air Lines cancelled more flights last month than they did in 2018 and 2019, in an historic meltdown following the CrowdStrike outage. They delayed taking care of customers, denied blame, and their CEO jetted off to Paris for the Olympics.
They’ve made a big show of their plan to sue CrowdStrike for damages, since this wasn’t Delta’s fault, but they have several hurdles to overcome.
- They have to show gross negligence and not merely negligence. Clearly CrowdStrike screwed up, but that’s not enough. The standard isn’t always clear, but was it intentional or at least reckless?
- Their contract with Delta caps damages.
- While it appears that Delta, which shed IT staff and has taken other cost-saving moves to reduce IT expense, responded to the outage poorly compounding its effects.
CrowdStrike has responded to Delta’s legal threat,
We have expressed our regret and apologies to all of our customers for this incident and the disruption that resulted. Public posturing about potentially bringing a meritless lawsuit against CrowdStrike as a long-time partner is not constructive to any party. We hope that Delta will agree to work cooperatively to find a resolution.
In their lawyer’s response, while acknowledging they screwed up, notes that:
- Delta’s meltdown was unlike any other airline
- “CrowdStrike’s CEO personally reached out to Delta’s CEO to offer onsite assistance, but received no response.”
- “CrowdStrike followed up with Delta on the offer for onsite support and was told that the onsite resources were not needed.”
- The magnitude of the meltdown was due to “Delta’s IT decisions and response to the outage.”
In any case, “liability by CrowdStrike is contractually capped at an amount in the single-digit millions.”
They also suggest that in any litigation they’ll be forced to drag Delta’s poor IT “design and operational resiliency capabilities” and failure to upgrade systems. In other words, Delta’s reputation for premium will be further called into question. Discovery, and ultimately trial testimony, could be more damaging to Delta’s business than anything they might hope to recover.
This to me is the right take. CrowdStrike’s likability and perception on reliability is already in the trash and like you said suppliers and clients generally have compensation for incident’s already defined. It feels like Delta’s perception of operational reliability can only get worse if they drag this into a lawsuit that goes to trial. Doesn’t feel like there is much to gain.
Ha Ha Ha!
CrowdStrike has said that Delta’s extensive outage was Delta’s fault and indicate that Delta handling the situation worse than other airlines and even small companies is a sign of Delta being at fault for not running a better IT ship.
Will CrowdStrike go after Delta for damages arising from defamation? That might also be no walk in the park given how many companies and industries had problems because of CrowdStrike. But what else can be expected than lawsuits and countersuits when the involved parties’ own insurance providers want to pass the buck along to someone else.
News is coming out this morning that the CEO of CrowdStrike personally reached out to Ed Bastion to offer his help during the crisis but got zero response. It seems pretty obvious that Ed didn’t want his Parisian holiday interrupted. Not a good look given what happened to so many Delta passengers.
Delta is a Premium Cry Baby.
Delta is like the nasdaq of airlines. So overpriced and overrated only to sink hard in times of woe
> “CrowdStrike’s CEO personally reached out to Delta’s CEO to offer onsite assistance, but received no response.”
Would *you* trust the same outfit that took your systems down to be able to fix it?
Delta showed a complete lack of resiliency during the Crowdstrike incident. It exposed itself unable to cope with customers during outages and irregular operations. IT and customer service have obviously been neglected. Any way Delta can sue itself?
P R E M I U M ! ! !
Anybody that thinks anything will come from this is kidding themselves. Other than maybe who pays for the next round at the country club. Ed and Mayor Pete will continue to bloviate but the American people will continue to suffer. Bring back the CAB days. I used to go months without a delay or cancellation. Now I run about 40% delayed.
I’m liking Crowdstrike’s odds on this. Stuff happens. But everyone else got it going again faster, they offered help, and Delta did what it loves to do and it shows: decline assistance and insist it knows best. From day one every single internal Delta communication called it the “Crowdstrike outage” or “Crowdstrike-caused problems” clearly staying on message… and view of people in middle level leadership at DL was that if this all went to litigation, a lot will come out in the wash that wouldn’t paint DL in a good light.
Limits of liability terms on these contracts are very very tight even with negligence. I negotiate these for a living and most favorable terms I have ever negotiated were 6X yearly spend. And that was a $1B/5-year contract, I am quite sure that DL didn’t have that type of negotiation leverage. This goes to court (most likely in a jurisdiction friendly to the SW provider – another term that Crowdstrike wouldn’t give up to maybe a $5-10M contract) DL has a very uphill climb
Delta can look at it just like the Contract of Carriage . Extremely lopsided and unfavorable for the customer.
ls there anyone else out there who logs on to blogs such as this to see aviation and only aviation news? I’m referring in this case to H2oman’s posting, who seems to feel that somehow the dispute and possible litigation between Delta and CrowdStrike simply must, simply has to, simply requires a reference to “Mayor Pete.”
I didn’t see anything in this corporate dispute which required or even warranted bringing Secretary Buttigieg into this discussion. Does anyone else agree?
@jsm
You may not be aware but the DOT is the only firewall between the customer and the airline. Unless you sue them in small claims court you’re at the mercy of the DOT to make things right. And so far they haven’t. Go on to other sites and read where people are getting reimbursements rejected or only 10% back. Pothole Pete was the one who ran to the cameras saying Delta was going to take care of passengers. Pete’s so weak that Bastian mouthed off about him to the media.
If I were a laid off Delta IT employee, I would call Crowd Strike’s legal department & volunteer my services for free.
I saw multiple talking heads on CNBC saying exactly the same thing. Why were all the other airlines able to quickly recover but Delta could not? Delta is opening itself up here. All of their internal emails and communications during the chaos are open to discovery.
This could definitely be Premium entertainment.
Less-than-premium!
I never thought as Delta as a premium anything.I see it as a tired old overpriced legacy carrier just as bad or good as the rest of the pack.I’ve seen many ancient or tired old planes in most of my past flights
The only reason I ever consider them is if they fly a first class non stop to a city of interest
Typically even then the pricing is so absurd I book with almost anyone else but Frontier or Spirit
Usually AA United or Alaska even if it means connecting.At least I’m not paying 100% more!
Except … Delta is DENYING CLAIMS FOR INCIDENTALS COMPENSATION
It will be interesting in this lawsuit to learn how many claims for compensation of incidentals are being denied by Delta.
Like mine. After they canceled my flight and I was stranded for three days.
At their invitation, I submitted my incidental expenses within 72 hours. (Food, airport transportation). They were denied en masse a week later without explanation and with no options for recourse.
Delta used to be something to brag about. The contempt they are showing customers in this experience is revolting.
The only reason Delta is still regarded as premium is because they have all the “travel news sites” like TPG and NerdWallet practically on their payroll. Those sites with massive followings are virtually extensions of the Delta News Hub nowadays.
For me this is more about CrowdStrike than Delta. Yes, Delta took longer to get back up and running and that contributed to whatever damages Delta wants to squeeze out of CrowdStrike. But, ultimately, Delta doesn’t have to do anything if CrowdStrike had done it’s job properly.
Delta clears the Gross Negligence hurdle easily. I’ve been QA for 20+ years and in some very mission critical areas where if we ever screwed up a release our customers would be in deep doo-doo. And I can tell you that for CrowdStrike to release a build and not catch a bug that should have been easily found if they had done even basic deployment testing (and I can guarantee you CrowdStrike has entire build deployment mockup systems that are there to check this stuff) is a huge red flag. A corner case issue affecting a handful of customers might not get caught (depending on how CrowdStrike has configured their testbeds) but a systemic issue affecting just about everybody it gets deployed to says to me this totally rises to the level of Gross Negligence.
CrowdStrike may have a contract that limits damages but I can guarantee you IT departments of CrowsdStrike’s bigger customers are either in the process of or have completed a financial damage assessment and those corporations are going to be taking a hard look at CrowdStrike’s cap and deciding if that cap needs to be raised if CrowdStrike expects to retain their business. Caps are fine an dandy in the theoretical world but once there’s a real world example and the numbers no longer add up, changes occur.
That Delta was offered support and refused is the biggest strike against their case. But, again, this doesn’t matter if CrowdStrike had done basic QA before deploying that build. IT expects deployments to be near bulletproof. This is an industry that, once they get their systems up and working, they only make the most incremental of changes and only when absolutely necessary because these systems should never ever go down and when they do someone is getting fired. CrowdStrike’s customers expect that level of stability out of it. And CrowdStrike totally screwed the pooch.
@Doug Swalen “Delta clears the Gross Negligence hurdle easily.” Negligence maybe, but… was their tester drug while testing? Gross negligence can be a pretty tough standard and CrowdStrike liability is capped at under $10mm in the contract apparently in any case
Delta obviously failed to do proper BCP (business continuity planning) or DR (disaster recovery) testing. This incident will alert the many government agencies that pay attention to such things and bring Delta to the top of their list.
Proving gross negligence against Crowdstrike definitely seems possible. But Delta needs to admit to their part in the chain of events. As noted above every other airline was back and running much sooner than Delta.
Everyone wants to blame Crowdstrike for this issue. Yes they pushed out a bad update and should have 1.) caught it sooner; and 2.) set that update to rolling in batches, not global. Bad on them.
HOWEVER, the root is this issue is that the operating system Microsoft Windows is so incredibly weak that one single file brings it down and makes it completely unusable. One file! A properly designed operating system would simply ignore the bad file and move on. Microsoft systems simply crash and don’t recover without significant manual intervention. Yes Crowdstrike sent a bad file, but seriously why is no one pointing out that one single file kills Microsoft Windows? One single file breaks it completely. We thought the power grid was vulnerable??
As for Delta, bad on them for relying on such a weak and incredibly vulnerable system running their organization. Large and critical back end systems shouldn’t be running on such vulnerable machines. Delta’s failure is not that they couldn’t get Windows back and running quickly – it’s that they relied so heavily on Windows in the first place.
Hey, when your business model involves pushing updates to mission-critical systems _because_ they are mission-critical, you explicitly guarantee that every effort was made to ensure stability after release. The knocks on Crowdstrike in the months before the event show a system that might have had problems with edge cases. To minimize those, you test the exact release candidate (and probably copy the release candidate to three separate files, test them all, and verify their identity, just to avoid any byzantine generals you might have in the closet). Then you roll out the release to the clients, rather than everywhere all at once (save that for actively exploited zero days).
This has been the industry standard for forty years. Crowdstrike didn’t do this. They’re doing this now.
So, yes, Delta could have expected them to perform to basic industry standards.
But, also yes, Delta didn’t do their minimum either. What kind of idiot puts all their eggs in Crowdstrike’s basket? How do they not have any reversion modes? And I got to enjoy that personally, along with an unforgettable night in the ATL Ramada Plaza Inn. So, I want blood.
In short: crowdstrike is pretty much a lock for gross negligence, but you could make a decent argument for Delta as well.
It is refreshing to read the comments of real IT professionals commenting here that recognize that 1. this is far bigger than Delta
2. when you impact tens if not hundreds of millions of users, an apology and pointing to a tiny limit of liability is not going to fly.
3. Microsoft was included because of the vulnerability of their system is to be brought down by vendor software
as for the comments about not putting all of one’s eggs in the MSFT/CRWD, MSFT is the dominant force in large business operating systems and CRWD HAD a dominant position in the cybersecurity space.
and most importantly, CRWD’s stock is down 45% in one month and fell 10% solely on the day DL said it was seeking compensation.
DL said this cost them $500 million; CRWD’s market cap has been reduced by TENS OF BILLIONS of dollars.
Anyone that can’t see that one company is fighting for its survival amid a guaranteed flood of clients to other software while this event will reduce DL’s 2024 profits by about 10%.
CrowdStrike is fighting for its life and its CEO Is doing all possible to cover his backside and limit damage.
CRWD will settle w/ DL privately to avoid the incessant parade of bad commentary from a disgruntled client that has the potential to severely and negatively impact CRWD’s recovery from this event.
There is no more damage that CRWD can do to Delta.
As much as some want to believe otherwise, DL holds the cards here.
Companies use Microsoft Windows based systems for a reason. They use them because their IT professionals recommend using them. A lot of it is cost and convenience after studying the situation. The weaknesses of the Microsoft operating systems are well documented. Complaining about them now is disingenuous. Almost any operating system will fail if only a small amount of bad code is injected in the right part, especially during the booting process (resulting in a kernel panic message from a UNIX type system). Delta’s IT failure was not deploying the right resources to recover quickly from a widespread failure. Where were the backups to rebuild the systems from before the bad code was introduced? Why did the rebuilds need so much individual attention? The bad code was not designed like a computer virus because computer viruses are designed to evade and sometimes the best way to get rid of them is a scorched earth approach of building the backup on a new machine and destroying the old machine.