Published on the 14/08/2024 | Written by Heather Wright
Is customer’s failure to modernise a get out of jail clause?…
A battle royale appears to be brewing in the wake of July’s global IT outage – and it’s one that could give IT leaders pause for thought.
Taking centre court – and possibly heading to court – are CrowdStrike, Microsoft and US airline Delta.
Delta has gone public with its grievances over the outage, caused by CrowdStrike’s faulty software upgrade which downed IT systems around the world on July 19.
“Delta, unlike its competitors, apparently has not modernised its IT infrastructure.”
For Delta, the faulty update’s impact on its systems saw it cancel 7,000 flights over five days after it crashed Delta’s 37,000 Microsoft Windows computers. Travel plans for more than 1.3 million Delta customers were disrupted and the airline says it expects the outage to cost it US$380 million in revenue for its September quarter.
Its disruption from the 19 July outage lasted longer than other US airlines impacted, something that has seen the US Department of Transportation open an investigation into Delta’s flight disruptions on July 24 – five days after the outage and when Delta was still working to resume normal service.
In a US securities filing, the airline says it’s pursuing legal claims against CrowdStrike and Microsoft ‘to recover damages caused by the outage, which total at least US$500 million’.
So far, so standard or at least not too unusual, albeit on a much larger scale than normal.
But prior to the filing, Delta – which has been hit by a class-action lawsuit filed on behalf of affected passengers – hit out at CrowdStrike with Delta CEO Ed Bastian lashing out in a CNBC interview.
Delta accused CrowdStrike of ‘negligence’ and misconduct and alleged the IT vendor had failed to do testing and validation.
CrowdStrike, in its return volley, accused the airline of refusing offers of help, including onsite assistance, and saying it ‘strongly rejects any allegation that it was grossly negligent or committed wilful misconduct…’.
Then came the more interesting bit: In a letter to Delta, CrowdStrike’s attorney suggested a failure by Delta to modernise its IT infrastructure was at fault for the longer disruption period, when rivals including United Airlines and American Airlines were up and running much more quickly.
It said if Delta pursued legal action, it would need to explain, among other things, why its competitors, facing similar challenges, all restored operations much faster and explain the design and operational resiliency capabilities of Delta’s IT infrastructure, ‘including decisions by Delta with respect to system upgrades, and all other contributory factors that relate in any way to the damage Delta allegedly suffered’.
The war of words fired up even more with Microsoft joining the fray in the increasingly contentious stoush between Delta and its tech partners.
Echoing CrowdStrike’s comments, Microsoft’s legal representative claimed Microsoft had immediately offered to assist Delta at no charge, ‘even though Microsoft’s software had not caused the CrowdStrike incident’ but was repeatedly turned down. An email from Microsoft CEO Satya Nadella to Bastian was ignored, Microsoft says. (Delta has since said offers for help from CrowdStrike’s CEO to Bastian were made four days after ‘the CrowdStrike disaster began’ and at a time when many critical systems were restored and ‘Delta’s confidence in CrowdStrike was naturally shaken’.)
The Microsoft letter accuses Delta of refusing Microsoft’s assistance because the key IT system it was struggling to restore – its crew tracking and scheduling system – were run on other systems, including IBM, rather than Windows or in Azure.
“Our preliminary review suggests that Delta, unlike its competitors, apparently has not modernised its IT infrastructure, either for the benefit of its customers or for its pilots and flight attendants.”
Delta, responding to CrowdStrike’s allegations, accused the vendor of trying the ‘blame the victim’ defence.
“There is no basis – none – to suggest that Delta was in any way responsible for the faulty software that crashed systems around the world, including Delta’s,” the letter says.
“Incredibly, CrowdStrike released an automatic faulty update that crashed millions of Microsoft-Windows based machines without being able to automatically correct that error for several days. It is CrowdStrike’s conduct, and CrowdStrike’s conduct alone, for which CrowdStrike is liable.”
Delta says it has invested ‘billions of dollars in IT capital expenditures’ since 2016, in addition to billions spent annually in IT operating costs.
US legal experts have suggested that the suggestion Delta failed to modernise its IT infrastructure could be laying the groundwork for a defence of ‘contributory negligence’ – where damages were made worse by a failure to invest adequately in its IT.
IT professionals, however, would no doubt be quick to note that no IT system is every 100 percent failproof, no matter how much is invested.
The letter from CrowdStrike’s legal team also noted that any liability by CrowdStrike is contractually capped at an amount in the single-digit millions.
Delta, in a return salvo from its legal team, said given CrowdStrike’s conduct ‘there is no liability cap at single-digit millions’.
“The contract does not cap liability or damages for gross negligence or wilful misconduct.”
In a world increasingly full of a few key technology dependencies, this is one blame game which has yet to play out in court.
