TSA silent on CrowdStrike’s claim Delta skipped required security update

Delta and CrowdStrike have locked legal horns, threatening to drag out the aftermath of the worst IT outage in history for months or possibly years.

Each refuses to be blamed for Delta’s substantial losses following a global IT outage caused by CrowdStrike suddenly pushing a flawed security update despite Delta and many other customers turning off auto-updates.

CrowdStrike has since given customers more control over updates and made other commitments to ensure an outage of that scale will never happen again, but Delta isn’t satisfied. The airline has accused CrowdStrike of willfully causing losses by knowingly deceiving customers by failing to disclose an unauthorized door into their operating systems that enabled the outage.

In a court filing last Friday, Delta alleged that CrowdStrike should be on the hook for the airline’s more than $500 million in losses—partly because CrowdStrike has admitted that it should have done more testing and staggered deployments to catch the bug before a wide-scale rollout that disrupted businesses worldwide.

“As a result of CrowdStrike’s failure to use a staged deployment and without rollback capabilities, the Faulty Update caused widespread and catastrophic damage to millions of computers, including Delta’s systems, crashing Delta’s workstations, servers, and redundancy systems,” Delta’s complaint said.

Delta has further alleged that CrowdStrike postured as a certified best-in-class security provider who “never cuts corners” while secretly designing its software to bypass Microsoft security certifications in order to make changes at the core of Delta’s computing systems without Delta’s knowledge.

“Delta would have never agreed to such a dangerous process had CrowdStrike disclosed it,” Delta’s complaint said.

In testimony to Congress, CrowdStrike executive Adam Meyers suggested that the faulty update did follow standard protocols. He explained that “CrowdStrike’s software code is certified by Microsoft” and that it’s “updated less frequently,” and “new configurations are sent with rapid occurrence to protect against threats as they evolve,” not to bypass security checks, as Delta alleged.

But by misleading customers about these security practices, Delta alleged, CrowdStrike put “profit ahead of protection and software stability.” As Delta sees it, CrowdStrike built in the unauthorized door so that it could claim to resolve security issues more quickly than competitors. And if a court agrees that CrowdStrike’s alleged failure to follow standard industry best practices does constitute, at the very least, “gross negligence,” Delta could win.

“While we aimed to reach a business resolution that puts customers first, Delta has chosen a different path,” CrowdStrike’s spokesperson told Ars. “Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure. We have filed for a declaratory judgment to make it clear that CrowdStrike did not cause the harm that Delta claims and they repeatedly refused assistance from both CrowdStrike and Microsoft. Any claims of gross negligence and willful misconduct have no basis in fact.”

CrowdStrike sues to expose Delta’s IT flaws

In its court filing, however, CrowdStrike said there’s much more to the story than that. It has accused Delta of failing to follow laws, including best practices established by the Transportation Security Administration (TSA).

While many CrowdStrike customers got systems back up and running within a day of the outage, Delta’s issues stretched painfully for five days, disrupting travel for a million customers. According to CrowdStrike, the prolonged delay at Delta was not due to CrowdStrike failing to provide adequate assistance but allegedly to Delta’s own negligence to comply with TSA requirements designed to ensure that no major airline ever experiences prolonged system outages.

“Despite the immediate response from CrowdStrike, it was Delta’s own response and IT infrastructure that caused delays in Delta’s ability to resume normal operation, resulting in a longer recovery period than other major airlines,” CrowdStrike’s complaint said.

In March 2023, the TSA added a cybersecurity emergency amendment to its cybersecurity programs. The amendment required airlines like Delta to develop “policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised,” CrowdStrike’s complaint said.

Complying with the amendment ensured that airlines could “timely” respond to any exploitation of their cybersecurity or operating systems, CrowdStrike explained.

CrowdStrike realized that Delta was allegedly non-compliant with the TSA requirement and other laws when its “efforts to help remediate the issues revealed” alleged “technological shortcomings and failures to follow security best practices, including outdated IT systems, issues in Delta’s active directory environment, and thousands of compromised passwords.”

TSA declined Ars’ request to comment on whether it has any checks in place to ensure compliance with the emergency amendment.

While TSA has made no indication so far that it intends to investigate CrowdStrike’s claims, the Department of Transportation (DOT) is currently investigating Delta’s seemingly inferior customer service during the outage. That probe could lead to monetary fines, potentially further expanding Delta’s losses.

In a statement, DOT Secretary Pete Buttigieg said, “We have made clear to Delta that they must take care of their passengers and honor their customer service commitments. This is not just the right thing to do, it’s the law, and our department will leverage the full extent of our investigative and enforcement power to ensure the rights of Delta’s passengers are upheld.”

On X (formerly Twitter), Buttigieg said that the probe was sparked after DOT received hundreds of complaints about Delta’s response. A few days later, Buttigieg confirmed that the probe would “ensure the airline is following the law and taking care of its passengers during continued widespread disruptions.” But DOT declined Ars’ request to comment on whether DOT was investigating Delta’s alleged non-compliance with TSA security requirements, only noting that “TSA is not part of DOT.”

Will Microsoft be sued next?

Delta has been threatening legal action over the CrowdStrike outage since August, when Delta confirmed in an SEC filing that the outage caused “approximately 7,000 flight cancellations over five days.” At that time, Delta CEO Ed Bastian announced, “We are pursuing legal claims against CrowdStrike and Microsoft to recover damages caused by the outage, which total at least $500 million.”

But Delta’s lawsuit Friday notably does not name Microsoft as a defendant.

Ars could not immediately reach Delta’s lawyer, David Boies, to confirm if another lawsuit may be coming or if that legal threat to Microsoft was dropped.

It could be that Microsoft dissuaded Delta from filing a complaint. Immediately in August, Microsoft bucked Delta’s claims that the tech giant was in any way liable for Delta’s losses, The Register reported. In a letter to Boies, Microsoft lawyer Mark Cheffo wrote that Microsoft “empathizes” with Delta, but Delta’s public comments blaming Microsoft for the outage are “incomplete, false, misleading, and damaging to Microsoft and its reputation.”

“The truth is very different from the false picture you and Delta have sought to paint,” Cheffo wrote, noting that Microsoft did not cause the outage and Delta repeatedly turned down Microsoft’s offers to help restore its systems. That includes one instance where a Delta employee allegedly responded to a Microsoft inquiry three days after the outage by saying that Delta was “all good.” Additionally, a message from Microsoft CEO Satya Nadella to Delta’s Bastian allegedly went unanswered.

Cheffo alleged that Delta was cagey about accepting Microsoft’s help because “the IT system it was most having trouble restoring—its crew-tracking and scheduling system—was being serviced by other technology providers, such as IBM, because it runs on those providers’ systems, and not Microsoft Windows or Azure.”

According to Cheffo, Microsoft was “surprised” when Delta threatened to sue since the issues seemed to be with Delta’s IT infrastructure, not Microsoft’s services.

“Microsoft continues to investigate the circumstances surrounding the CrowdStrike incident to understand why other airlines were able to fully restore business operations so much faster than Delta, including American Airlines and United Airlines,” Cheffo wrote. “Our preliminary review suggests that Delta, unlike its competitors, apparently has not modernized its IT infrastructure, either for the benefit of its customers or for its pilots and flight attendants.”

At that time, Cheffo told Boies that Microsoft planned to “vigorously defend” against any litigation. Additionally, Microsoft’s lawyer demanded that Delta preserve documents, including ones showing “the extent to which non-Microsoft systems or software, including systems provided and/or designed by IBM, Oracle, Amazon Web Services, Kyndryl or others, and systems using other operating systems, such as Linux, contributed to the interruption of Delta’s business operations between July 19 and July 24.”

It seems possible that Cheffo’s letter spooked Delta out of naming Microsoft as a defendant in the lawsuit over the outage, potentially to avoid a well-resourced opponent or to save public face if Microsoft’s proposed discovery threatened to further expose Delta’s allegedly flawed IT infrastructure.

Microsoft declined Ars’ request to comment.

CrowdStrike says TOS severely limits damages

CrowdStrike appears to be echoing Microsoft’s defense tactics, arguing that Delta struggled to recover due to its own IT failures.

According to CrowdStrike, even if Delta’s breach of contract claims are valid, CrowdStrike’s terms of service severely limit damages. At most, CrowdStrike’s terms stipulate, damages owed to Delta may be “two times the value of the fees paid to service provider for the relevant subscription services subscription term,” which is likely substantially less than $500 million.

And Delta wants much more than lost revenue returned. Beyond the $500 million in losses, the airline has asked a Georgia court to calculate punitive damages and recoup Delta for future revenue losses as its reputation took a hit due to public backlash from Delta’s lackluster response to the outage.

“CrowdStrike must ‘own’ the disaster it created,” Delta’s complaint said, alleging that “CrowdStrike failed to exercise the slight diligence or care of the degree that persons of common sense, however inattentive they may be, would use under the same or similar circumstances.”

CrowdStrike is hoping a US district court jury will agree that Delta was the one that dropped the ball the most as the world scrambled to recover from the outage. The cybersecurity company has asked the jury to declare that any potential damages are limited by CrowdStrike’s subscriber terms and that “CrowdStrike was not grossly negligent and did not commit willful misconduct in any way.”

This story was updated to include CrowdStrike’s statement.