# Delta vs. CrowdStrike: A Legal Clash Over the IT Outage of 2024
The legal confrontation between Delta Air Lines and the cybersecurity firm CrowdStrike has officially commenced, signaling a pivotal moment in the aftermath of one of the most critical IT outages in recent memory. The argument revolves around a global IT failure in July 2024, which severely disrupted Delta’s operations and resulted in losses exceeding $500 million for the airline. As the courtroom proceedings take place, questions arise about whether Microsoft, another key entity involved in the incident, may also be subject to litigation.
## The Incident: What Transpired?
In July 2024, a problematic security update from CrowdStrike sparked a worldwide IT outage that impacted millions of computers, including those of Delta. The update was deployed despite numerous customers—including Delta—opting to disable auto-updates, leading to significant system failures. Delta’s workstations, servers, and redundancy systems were all compromised, resulting in the cancellation of around 7,000 flights over the span of five days.
CrowdStrike has since conceded that more thorough testing and a staggered rollout could have averted the situation. In response, the firm has implemented changes to afford customers greater control over updates and has vowed to ensure such an outage does not repeat. Nevertheless, Delta remains unsatisfied, accusing CrowdStrike of gross negligence and deceit.
## Delta’s Claims: An Instance of Deception?
In its legal filing, Delta asserts that CrowdStrike not only failed to avert the outage but also intentionally misled its clients. Delta alleges that CrowdStrike incorporated an unauthorized backdoor into its software, enabling it to circumvent Microsoft’s security certifications and modify Delta’s systems without the airline’s consent. Delta contends that it would never have accepted such a perilous process had it been fully counseled.
Moreover, Delta’s complaint purports that CrowdStrike prioritized profits over safety, cutting corners to present itself as a faster and more effective security provider compared to its competitors. The airline is striving to recoup its significant losses, which it blames on CrowdStrike’s neglect in adhering to standard industry best practices.
## CrowdStrike’s Argument: Blaming Delta
In contrast, CrowdStrike presents a different narrative. In its own court documents, the cybersecurity firm claims that Delta’s extended recovery from the outage was attributable to the airline’s own IT shortcomings. While other CrowdStrike clients managed to restore their systems within a single day, Delta faced delays for five days, affecting travel for over a million passengers.
CrowdStrike asserts that Delta did not abide by cybersecurity best practices, including those required by the Transportation Security Administration (TSA). The firm argues that Delta’s aging IT infrastructure, compromised login credentials, and issues related to its active directory environment led to the drawn-out recovery. CrowdStrike also contends that Delta failed to adhere to TSA’s cybersecurity emergency amendment, which was enacted in 2023 to ensure airlines could swiftly respond to IT system breaches.
## The Involvement of the TSA and DOT
The TSA has, thus far, refrained from commenting on any plans to look into CrowdStrike’s assertions regarding Delta’s non-compliance with cybersecurity regulations. Nonetheless, the Department of Transportation (DOT) has initiated its own inquiry into Delta’s customer service response during the outage. DOT Secretary Pete Buttigieg has underscored that Delta must fulfill its customer service obligations and comply with legal requirements. The DOT’s investigation could potentially result in financial penalties, further adding to Delta’s losses.
## Is Microsoft Next on the Chopping Block?
Delta has suggested the potential for litigation against Microsoft, which it initially blamed for playing a role in the outage. In an SEC filing in August 2024, Delta CEO Ed Bastian stated that the airline was pursuing legal claims against both CrowdStrike and Microsoft. However, the lawsuit that Delta filed in October 2024 does not name Microsoft as a co-defendant.
Microsoft has countered Delta’s claims, asserting it bears no responsibility for the outage. In correspondence to Delta’s legal team, Microsoft’s attorney, Mark Cheffo, contended that Delta’s public assertions blaming Microsoft were “false, misleading, and damaging.” Cheffo emphasized that Delta had repeatedly rejected Microsoft’s offers to assist in restoring its systems during the outage and indicated that the airline’s IT framework, rather than Microsoft’s services, was responsible for the prolonged recovery.
Microsoft has further alleged that Delta’s crew-tracking and scheduling system, which suffered the most during the outage, was managed by other technology providers, including IBM, and not by Microsoft’s Windows or Azure platforms. Consequently, Microsoft has signaled its intent to “vigorously defend” against any potential legal actions from Delta.
## CrowdStrike’s Terms of Service: Capping Liability
As the legal proceedings unfold, CrowdStrike is counting on its terms of service to limit its liability. The company maintains that even if Delta’s breach of contract claims hold merit, the terms of service dictate that damages are capped.
