TSA silent on CrowdStrike’s claim Delta skipped required security update

“Microsoft continues to investigate the circumstances surrounding the CrowdStrike incident to understand why other airlines were able to fully restore business operations so much faster than Delta, including American Airlines and United Airlines,” Cheffo wrote. “Our preliminary review suggests that Delta, unlike its competitors, apparently has not modernized its IT infrastructure, either for the benefit of its customers or for its pilots and flight attendants.”

At that time, Cheffo told Boies that Microsoft planned to “vigorously defend” against any litigation. Additionally, Microsoft’s lawyer demanded that Delta preserve documents, including ones showing “the extent to which non-Microsoft systems or software, including systems provided and/or designed by IBM, Oracle, Amazon Web Services, Kyndryl or others, and systems using other operating systems, such as Linux, contributed to the interruption of Delta’s business operations between July 19 and July 24.”

It seems possible that Cheffo’s letter spooked Delta out of naming Microsoft as a defendant in the lawsuit over the outage, potentially to avoid a well-resourced opponent or to save public face if Microsoft’s proposed discovery threatened to further expose Delta’s allegedly flawed IT infrastructure.

Microsoft declined Ars’ request to comment.

CrowdStrike says TOS severely limits damages

CrowdStrike appears to be echoing Microsoft’s defense tactics, arguing that Delta struggled to recover due to its own IT failures.

According to CrowdStrike, even if Delta’s breach of contract claims are valid, CrowdStrike’s terms of service severely limit damages. At most, CrowdStrike’s terms stipulate, damages owed to Delta may be “two times the value of the fees paid to service provider for the relevant subscription services subscription term,” which is likely substantially less than $500 million.

And Delta wants much more than lost revenue returned. Beyond the $500 million in losses, the airline has asked a Georgia court to calculate punitive damages and recoup Delta for future revenue losses as its reputation took a hit due to public backlash from Delta’s lackluster response to the outage.

“CrowdStrike must ‘own’ the disaster it created,” Delta’s complaint said, alleging that “CrowdStrike failed to exercise the slight diligence or care of the degree that persons of common sense, however inattentive they may be, would use under the same or similar circumstances.”

CrowdStrike is hoping a US district court jury will agree that Delta was the one that dropped the ball the most as the world scrambled to recover from the outage. The cybersecurity company has asked the jury to declare that any potential damages are limited by CrowdStrike’s subscriber terms and that “CrowdStrike was not grossly negligent and did not commit willful misconduct in any way.”

This story was updated to include CrowdStrike’s statement.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top