Delta Air Lines v. Crowdstrike
Delta Air Lines v. CrowdStrike is an ongoing legal dispute between Delta Air Lines and cybersecurity firm CrowdStrike arising from a global technology outage on July 19, 2024.
The outage, triggered by a flawed software update from CrowdStrike, caused widespread crashes of Microsoft Windows systems and led to disruptions across multiple industries, including air travel. Delta experienced the most severe operational impact among U.S. airlines, with thousands of flight cancellations and losses estimated at over $500 million. The airline subsequently filed a lawsuit against CrowdStrike, alleging gross negligence, computer trespass, and fraud. CrowdStrike denied the claims and filed a separate suit to limit its liability under its service agreement with Delta.
The case has drawn attention to the reliability of third-party software in critical infrastructure and the role of legacy IT systems in operational resilience.
Background
A software update released by cybersecurity provider CrowdStrike on July 19 caused Microsoft Windows operating systems to crash worldwide. This incident forced major U.S. airlines, among other businesses, to halt operations.
There were vastly different experiences of major airlines in the wake of this outage. While American Airlines largely recovered by the evening of the outage and had minimal cancellations the following day, Delta's CEO, Ed Bastian, stated that this figure included lost revenue and tens of millions of dollars per day in compensation and hotels. Bastian announced that Delta would seek damages and emphasized the need for third-party software to be fully tested before being introduced into Delta’s systems. While acknowledging the software flaw, CrowdStrike stated it identified and corrected the issue within hours and worked to support affected customers.
Experts have pointed to several contributing factors in Delta’s slow recovery, including reliance on Windows-based applications, outdated technology, and staffing challenges. A critical issue was the failure of Delta’s crew-tracking system, which left the airline unable to locate staff and reorganize operations. Delta stated that this failure was due to large amounts of incomplete data caused by the outage.
The IT outage
The global outage occurred on July 19, 2024, and was caused by a faulty software update from cybersecurity company CrowdStrike.
More than 8 million Windows-based computers were affected globally. In addition to airlines, the outage disrupted railways, hospitals, emergency services, government offices, banks, hotels, media organizations, and retailers, impacting millions of people around the world.
Delta Air Lines’ extended recovery following the outage became a point of contention among the companies involved. According to Delta, 60% of its mission-critical systems, including backups, operate on Microsoft Windows, requiring the manual reset of approximately 40,000 servers—a more complex process than that faced by other airlines.
The crew-tracking system is operated by Kyndryl, but Delta argued that the disruption was caused by incomplete data resulting from the CrowdStrike update, which made the system unusable. Experts also suggested that Delta’s reliance on Windows-based systems may have contributed to its difficulties.
While the court allowed Delta’s claims of gross negligence and computer trespass to proceed, it dismissed the airline’s fraud claims related to statements made before June 2022. However, the court permitted a limited fraud claim concerning allegations that CrowdStrike falsely promised not to install an “unauthorized back door” into Delta’s systems.
Delta-CrowdStrike contract
CrowdStrike is a cybersecurity company known for its Falcon platform, which provides services such as endpoint protection and threat intelligence.
CrowdStrike argues that the dispute should be governed by its existing services agreement with Delta, which includes provisions limiting liability and excluding certain types of damages unless gross negligence or willful misconduct is proven, which are claims the company denies. CrowdStrike contends that federal court is the appropriate venue due to the involvement of federal statutes cited in related passenger class actions. Judge Robert Pitman found that the claims were preempted by the federal Airline Deregulation Act, which limits state-level legal actions related to airline services.
The court held that “the plaintiffs here bring their suit against CrowdStrike, rather than against the airlines themselves, does not prevent ADA preemption.” The ruling effectively shields CrowdStrike from consumer class action lawsuits related to airline service disruptions.
The outage, triggered by a flawed software update from CrowdStrike, caused widespread crashes of Microsoft Windows systems and led to disruptions across multiple industries, including air travel. Delta experienced the most severe operational impact among U.S. airlines, with thousands of flight cancellations and losses estimated at over $500 million. The airline subsequently filed a lawsuit against CrowdStrike, alleging gross negligence, computer trespass, and fraud. CrowdStrike denied the claims and filed a separate suit to limit its liability under its service agreement with Delta.
The case has drawn attention to the reliability of third-party software in critical infrastructure and the role of legacy IT systems in operational resilience.
Background
A software update released by cybersecurity provider CrowdStrike on July 19 caused Microsoft Windows operating systems to crash worldwide. This incident forced major U.S. airlines, among other businesses, to halt operations.
There were vastly different experiences of major airlines in the wake of this outage. While American Airlines largely recovered by the evening of the outage and had minimal cancellations the following day, Delta's CEO, Ed Bastian, stated that this figure included lost revenue and tens of millions of dollars per day in compensation and hotels. Bastian announced that Delta would seek damages and emphasized the need for third-party software to be fully tested before being introduced into Delta’s systems. While acknowledging the software flaw, CrowdStrike stated it identified and corrected the issue within hours and worked to support affected customers.
Experts have pointed to several contributing factors in Delta’s slow recovery, including reliance on Windows-based applications, outdated technology, and staffing challenges. A critical issue was the failure of Delta’s crew-tracking system, which left the airline unable to locate staff and reorganize operations. Delta stated that this failure was due to large amounts of incomplete data caused by the outage.
The IT outage
The global outage occurred on July 19, 2024, and was caused by a faulty software update from cybersecurity company CrowdStrike.
More than 8 million Windows-based computers were affected globally. In addition to airlines, the outage disrupted railways, hospitals, emergency services, government offices, banks, hotels, media organizations, and retailers, impacting millions of people around the world.
Delta Air Lines’ extended recovery following the outage became a point of contention among the companies involved. According to Delta, 60% of its mission-critical systems, including backups, operate on Microsoft Windows, requiring the manual reset of approximately 40,000 servers—a more complex process than that faced by other airlines.
The crew-tracking system is operated by Kyndryl, but Delta argued that the disruption was caused by incomplete data resulting from the CrowdStrike update, which made the system unusable. Experts also suggested that Delta’s reliance on Windows-based systems may have contributed to its difficulties.
While the court allowed Delta’s claims of gross negligence and computer trespass to proceed, it dismissed the airline’s fraud claims related to statements made before June 2022. However, the court permitted a limited fraud claim concerning allegations that CrowdStrike falsely promised not to install an “unauthorized back door” into Delta’s systems.
Delta-CrowdStrike contract
CrowdStrike is a cybersecurity company known for its Falcon platform, which provides services such as endpoint protection and threat intelligence.
CrowdStrike argues that the dispute should be governed by its existing services agreement with Delta, which includes provisions limiting liability and excluding certain types of damages unless gross negligence or willful misconduct is proven, which are claims the company denies. CrowdStrike contends that federal court is the appropriate venue due to the involvement of federal statutes cited in related passenger class actions. Judge Robert Pitman found that the claims were preempted by the federal Airline Deregulation Act, which limits state-level legal actions related to airline services.
The court held that “the plaintiffs here bring their suit against CrowdStrike, rather than against the airlines themselves, does not prevent ADA preemption.” The ruling effectively shields CrowdStrike from consumer class action lawsuits related to airline service disruptions.
Comments