Wednesday, May 21, 2025
Latest:
The Register

Judge allows Delta’s lawsuit against CrowdStrike to proceed with millions in damages on the line

TH Author

CrowdStrike is “confident” that the worst-case scenario of its pending lawsuit with Delta will result in it paying the airline a sum in the “single-digit millions.”

That’s according to its outside counsel, Michael Carlinsky of law firm Quinn Emanuel, who told The Register that he believes Delta’s claims will be capped in the single-digit-millions or otherwise be deemed meritless.

The comments come after Judge Kelly Lee Ellerbe gave the go-ahead for the airline to sue the cybersecurity company last week in a decision [PDF] filed with the Fulton County Superior Court on May 16. In the order, Delta’s claims alleging intentional misrepresentation and fraud by omission were cut from the case, but its remaining claims – including negligence and computer trespass – can move forward, the judge said.

The case relates to security vendor CrowdStrike’s mega-outage in July last year that affected various high-profile clients and caused widespread disruption across the world. It’s estimated that around 8.5 million Windows PCs suffered Blue Screens of Death (BSODs) as a result of CrowdStrike pushing out the flawed update to its Falcon threat-detection system at 0409 UTC on Friday, July 19. The ill-fated update crashed and disabled millions of Windows boxes – and IT systems – across the world, but airlines were particularly hard hit because of the centralized nature of modern air travel tech.

Carlinsky said he believed the worst-case scenario would see damages capped at the limits set out in its contract with Delta, an airline that was forced to cancel around 7,000 flights as a result of the IT issues caused by the faulty Falcon sensor update.

The lawyer highlighted that Atlanta-based Delta made other arguments in its case that could have seen damages exceed the contractual cap, but these were rejected due to Georgia law, which limits extra-contractual recoveries.

A Delta spokesperson said: “We are pleased by the ruling and remain confident in the merits of our claims against CrowdStrike.”

The news comes a fortnight after a federal judge said a class-action lawsuit brought to the airline by disgruntled passengers could move ahead.

The disruption caused by Crowdstrike’s faulty update was comparatively greater at Delta than at other airlines; it took longer to return to normal operations than some of its major competitors. American Airlines and United Airlines, for example, both returned to near-normal operations within three days, while Delta took five.

On each of the first three days following the outage, the number of Delta cancellations eclipsed those of American and United – well over 1,000 each day for Delta and a few hundred for the others. 

By the fourth day, neither American nor United cancelled more than 100 flights each, while Delta still grounded more than 1,000.

bsod

Post-CrowdStrike catastrophe, Microsoft figures moving antivirus out of Windows kernel mode is a good idea

READ MORE

In the wake of the cancelled flights, passengers who found themselves out of pocket and inconvenienced after sleeping in airports and failing to get through to the airline for hours filed more than 3,000 complaints, causing the US Department of Transport to open an investigation into Delta’s response to the widespread outage. Then-transport secretary Pete Buttigieg cited “a very different pattern from Delta than the other airlines.” 

Delta primarily blamed software provided by CrowdStrike and Microsoft for the issues that led to the flight cancellations. Crowdstrike went on to claim in a letter sent to Delta’s legal team that the airline had rejected technical support offers from both tech companies and the refusal to accept help prolonged its operational woes.

These arguments surfaced shortly after the incident took hold, in August 2024. Delta responded to the letter just days after it was made public, claiming CrowdStrike’s offer of help came too late in the day, and that bringing up the untimely support call from CEO George Kurtz was a tactic to “shift the blame” away from the security shop.

Responding to Delta’s accusation that Microsoft was partly to blame, the Windows maker claimed this was “false” and “misleading,” adding that repeated contact attempts were ignored.

Lawyers for the passengers in the class action also took issue with Delta’s compensation offer. The lawsuit alleged that “although Delta offered reimbursement of eligible expenses through their website and app, Delta failed to clarify that the customer would only be receiving a partial reimbursement.”

“Furthermore, Delta did not disclose to its customers that acceptance of the partial reimbursement would release any legal claims the customer may have against Delta until after the customer ‘click[ed] on the button to accept the partial reimbursement.'”

Delta had previously estimated its costs related to the CrowdStrike incident were in the region of $500 million, and before the ruling earlier this month, tried to have the class action dismissed.

US District Judge Mark H. Cohen dismissed some of the claims at Delta’s request but allowed others to go ahead, such as the counts related to breach of contract based on failure to refund and violation of the Montreal Convention.

The latter is an international treaty that codifies airlines’ liability for various matters without needing to prove negligence.

Both cases continue. ®

Delta Air Lines Inc v CrowdStrike Inc is case number 24CV013621 in the Georgia Superior Court, Fulton County

Bajra et al v Delta Air Lines is the class action lawsuit, case number 1:24-cv-03477 in the District Court of the Northern District of Georgia

READ MORE HERE