Mark Lanterman | October 11, 2024
In July 2024, millions were affected by a faulty software update initiated by CrowdStrike, a cyber-security company utilized by thousands of organizations. 1 The update caused mass outages across multiple sectors, with results including flight cancellations and delays in health care. Some have stated that the outage was unprecedented in its severity 2 and has prompted calls for improved quality control practices.
The long-term legal and financial implications of the incident continue to materialize, both for CrowdStrike and the impacted companies. Though CrowdStrike's most recent earnings report was better than some may have expected, 3 it has been suggested that the actual repercussions will likely be reflected more accurately down the road. Customers could still be in the process of searching for other cyber-security solutions; CrowdStrike has implemented measures to encourage customer loyalty, including "$60 million in credits to remain with the company," though this amount is being reported by some clients as only a fraction of what their incurred damages were. 4
Notably, Delta Airlines has indicated that its damages totaled over $500 million, 5 having required around a week to recover from the incident. Consequently, Delta plans to pursue legal action 6 as the company continues to grapple with the aftermath of thousands of flight cancellations. However, CrowdStrike maintains that its contract with Delta specifies a liability limit of less than $10 million; 7 furthermore, it has stated that Delta was itself at fault for taking longer to recover than other clients. The legal ramifications are still only beginning to surface for CrowdStrike, with multiple lawsuits also being filed by investors for what they view to be misleading information about the firm's software testing procedures. 8
While some initially hypothesized that the outages were a result of an external cyber attack, CrowdStrike has denied the claims and asserts that the problem resulting from the errant update was identified and corrected. Still, the fix required manual intervention for each impacted device, resulting in further delays and confusion for users. 9 In addition to its preliminary review, CrowdStrike subsequently released its External Technical Root Cause Analysis, 10 which explains what the firm points to as the technical cause of the incident and its mitigatory measures moving forward. Though an external cyber attacker may not be to blame in this case, it would seem that another type of attack could still be pointed to—an attack of incompetence.
CrowdStrike's lack of quality control directly disrupted the critical business functions of its affected clients. Unfortunately, there is no patch for this type of "attack," and some consumers may deem it necessary to change security vendors. Should an organization decide that this is the best route, it is advisable to pay attention to the vendor's responsibilities and liabilities should an issue arise, including how critical assistance is provided.
This event serves as a reminder to double-check contractual language, ensuring that risk stemming from a potential vendor failure is taken into account. In Delta's case, its agreement with CrowdStrike may limit the amount of financial compensation it receives for damages. 11
This September, Microsoft organized a conference for cyber-security firms in an effort to improve following the CrowdStrike event. 12 Consumers can also adopt some personal practices to strengthen their own security, including backing up their data and waiting to apply software updates, when possible. Allowing a day or two to pass before installing the latest update allows time to identify any negative side effects (and hopefully have it be remediated) prior to applying it yourself.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Footnotes