Delta Airlines has formally filed a lawsuit against the cyber security company CrowdStrike over the recent software update that caused network outages across the world. Delta was one of the largest victims of the system failure that brough flights, hospitals and others that rely on their software to a halt.
CrowdStrike is one of the most commonly used and adopted cyber security vendors in the world. CrowdStrike’s security systems are centered what is known as an endpoint detection and response services, also known in the industry as “EDR.” Endpoints are what you access the internet with every day, from laptops and tablets computers to desktops to even your cellphones.(1) Malicious actors target these endpoints because they are the gateway into private servers and other valuable data infrastructure. .
The problem with CrowdStrike stemmed from a routine update that didn’t interact with end user machines properly. Like with everything computer related, updating your programming to combat the latest threats to security and data is vital and even mandatory for new systems sop these updates are pushed automatically to all its user machines. So for example, a patch developed for a virus discovered in Australia could be updated to machines worldwide automatically. Theoretically, that’s a good thing as worldwide machines could benefit from the combined user network of such a large organization.
However, when an update to CrowdStrike’s code caused computers to fail, commonly known as the “blue screen of death” it caused turmoil across the globe. While some were able to revert back to legacy systems or reverse the update some global entities like hospitals and airlines in particular needed days to recover. This incident demonstrates the vulnerability of complete dependence on third party software programs and the vulnerabilities that come with the current software as a service (SAAS) world.
The two industries affected the most from this update were the healthcare and airline industries. These two industries were affected more than some others as they couldn’t afford to take them down to revert their systems and many of their systems are highly modified based on legacy systems. t Hospitals were unable to take in new patients, access records and the airline industry was forced to cancel and reschedule hundreds of flights, causing a massive loss of revenue.
Delta says the faulty update cost the airline at least $500 million in out-of-pocket losses — in addition to “severe harm to its reputation and goodwill,” according to the complaint, filed Friday in state court in Georgia. Delta claims the software update was “forced” on the company — and wasn’t something its IT staff installed. Delta’s claims against CrowdStrike include fraud, breach of contract, deceptive business practices and computer trespass. (2)
CrowdStrike filed a competing lawsuit after failing to reach an out of court settlement with the airline, contending it was the airline’s response that led to their debacle. Notably, their competitors, United and American Airlines were back up within a day while Southwest and Alaska Airlines were not affected at all as they had used different systems. The IT Company contends “that Delta’s response was “lackluster” in the wake of the outage, and that the airline is now seeking to inappropriately “shift blame” for the entirety of the disruption to CrowdStrike.
Following the faulty update on July 19, “CrowdStrike quickly identified the cause of the issue, remedied it, and pushed out a fix, all within a matter of hours,” the company said in the lawsuit against Delta. “But, in contrast to other major airlines that resumed near-normal levels of operations by the following day, July 20, Delta struggled to resume near-normal levels of operations for days.”
Ultimately, “it was Delta’s own response and IT infrastructure that caused delays in Delta’s ability to resume normal operation, resulting in a longer recovery period than other major airlines,” CrowdStrike said in the suit. (3)
Delta’s lawsuit and the fallout from this recent system failure, is further proof that in addition to ransomware and data breach exposures, companies, regardless of size have cyber risk exposure from other areas such as vendors, software providers and other third parties which may be outside the control of the company