CrowdStrike's legal counsel said in a letter to Delta Airlines that it isn't to blame for its "decisions and response to the IT outage."
Delta Airlines said it would sue CrowdStrike for $500 million in damages after an update led to a global IT outage involving Microsoft software. Delta CEO Ed Bastian told CNBC that it has no choice but to sue CrowdStrike for damages. CrowdStrike CEO George Kurtz has been called to testify before Congress about the outage.
- From Blue Screen to Blackout: Unpacking the CrowdStrike Catastrophe and Industry Implications
- CrowdStrike outage likely to hit cybersecurity's platformization pitch
- Cybersecurity platformization: What you need to know
In a letter to Delta sent to the press, CrowdStrike external counsel said that if the airline pursues the lawsuit it will have to explain how failed to respond well to the IT outage.
CrowdStrike counsel said that Delta turned down or didn't respond to help from the security vendor. Delta will have to also explain "why Delta competitors, facing similar challenges, all restored operations much faster" as well as its actions in response to the incident.
In addition, CrowdStrike noted that its liability is contractually capped "at an amount in the single-digit millions."
Add it up and CrowdStrike said that Delta's IT infrastructure and resiliency is also in question. CrowdStrike demanded that Delta preserve all records and communications related to the response.
My take
We've seen these scathing letters between customers and vendors before--usually in ERP failures. Usually, these lawsuits are settled out of court because the trials are messy. Here's the unhappy triad: Vendor, customer and systems integrator. The three parties all blame each other and it's a bad look for everyone.
The CrowdStrike-Delta battle will also be settled out of court, once it's clear that the public back-and-forth benefits neither party. For CrowdStrike, the forceful response is designed to prevent other customers from suing.
What remains to be seen is the following:
- How much of the CrowdStrike-Microsoft outage is covered by insurance? Probably not much.
- If CrowdStrike liability is capped in each customer contract, what is the total sum across the customer base?
- What is the long-term fallout to CrowdStrike's brand?
- How difficult is it to switch cybersecurity platforms?
- Are the resiliency issues surfaced by the CrowdStrike outage widespread beyond just one vendor?
