Jump to content

Delta Air Lines v. Crowdstrike

Add links
From Wikipedia, the free encyclopedia
Delta Air Lines v. CrowdStrike
CourtSuperior Court of Fulton County, Georgia
Full case name Delta Air Lines, Inc. v. CrowdStrike, Inc.
CitationCivil action file No. 24CV013621
Case history
Related actionCrowdStrike v. Delta Air Lines (United States District Court for the Northern District of Georgia)
Court membership
Judge sittingKelly Lee Ellerbe

Delta Air Lines v. CrowdStrike is an ongoing legal dispute between Delta Air Lines and cybersecurity firm CrowdStrike arising from a global technology outage on July 19, 2024.

The outage, triggered by a flawed software update from CrowdStrike, caused widespread crashes of Microsoft Windows systems and led to disruptions across multiple industries, including air travel. Delta experienced the most severe operational impact among U.S. airlines, with thousands of flight cancellations and losses estimated at over $500 million. The airline subsequently filed a lawsuit against CrowdStrike, alleging gross negligence, computer trespass, and fraud. CrowdStrike denied the claims and filed a separate suit to limit its liability under its service agreement with Delta.

The case has drawn attention to the reliability of third-party software in critical infrastructure and the role of legacy IT systems in operational resilience.

Background

[edit]

A software update released by cybersecurity provider CrowdStrike on July 19 caused Microsoft Windows operating systems to crash worldwide. This incident forced major U.S. airlines, among other businesses, to halt operations.[1]

There were vastly different experiences of major airlines in the wake of this outage. While American Airlines largely recovered by the evening of the outage and had minimal cancellations the following day,[1] United Airlines took three days to get back on track, canceling over 1,400 flights. Delta Air Lines, however, was the hardest hit, experiencing a disruption that lasted five days, resulting in approximately 7,000 mainline and regional flight cancellations that impacted about 1.3 million customers and cost the airline approximately $500 million to $550 million.[1][2][3][4][5] Delta's CEO, Ed Bastian, stated that this figure included lost revenue and tens of millions of dollars per day in compensation and hotels.[4]

The differences in recovery time, especially Delta’s prolonged disruption, led to tensions between Delta, CrowdStrike, and Microsoft.[1] Delta blamed the outage on a faulty software update from CrowdStrike, which it claimed caused a major shutdown of critical systems.[6][7] Bastian announced that Delta would seek damages and emphasized the need for third-party software to be fully tested before being introduced into Delta’s systems.[4] Delta accused CrowdStrike of negligence and misconduct for failing to properly test the update.[6]

CrowdStrike rejected these claims and sought to dismiss much of Delta’s lawsuit.[8][9] While acknowledging the software flaw, CrowdStrike stated it identified and corrected the issue within hours and worked to support affected customers.[6] Along with Microsoft, CrowdStrike suggested that Delta’s outdated IT infrastructure and refusal to accept outside help contributed to the airline’s delayed recovery. CrowdStrike’s president publicly admitted the company made a serious error with the update.[8][10]

Experts have pointed to several contributing factors in Delta’s slow recovery, including reliance on Windows-based applications, outdated technology, and staffing challenges. A critical issue was the failure of Delta’s crew-tracking system, which left the airline unable to locate staff and reorganize operations. Delta stated that this failure was due to large amounts of incomplete data caused by the outage.[1][11]

The IT outage

[edit]
Main article: 2024 Delta Air Lines disruption

The global outage occurred on July 19, 2024, and was caused by a faulty software update from cybersecurity company CrowdStrike.[1] The update, which affected CrowdStrike’s Falcon security software, led to crashes in Microsoft Windows operating systems worldwide. It was deployed at 12:09 a.m. ET, and CrowdStrike identified the issue and reversed the update 78 minutes later, pushing out a fix within a few hours.[1][6]

The error stemmed from a mismatch in data fields introduced in a content update. A programming issue caused the software to attempt to access memory outside the allowed range, resulting in system crashes due to access violations and out-of-bounds errors.[6][12]

More than 8 million Windows-based computers were affected globally.[8][13][10][5][14] In addition to airlines, the outage disrupted railways, hospitals, emergency services, government offices, banks, hotels, media organizations, and retailers, impacting millions of people around the world.[2][6][14][7]

All major U.S. airlines were forced to suspend operations during the outage, but the recovery varied among carriers. American Airlines resumed most operations by the evening of the incident, and United Airlines required three days to recover. Delta Air Lines experienced the most significant disruption, with system-wide issues lasting over five days and drawing national attention.[1][6][14][15][9][2]

Delta canceled approximately 7,000 mainline and regional flights, affecting an estimated 1.3 to 1.4 million passengers.[1][8][9][2] The airline reported losses of around $500 million, including revenue loss and customer compensation such as hotel expenses. CEO Ed Bastian stated that the total losses were about $550 million, partly offset by $50 million in fuel savings.[4][1][8][10][16]

Delta Air Lines’ extended recovery following the outage became a point of contention among the companies involved. According to Delta, 60% of its mission-critical systems, including backups, operate on Microsoft Windows, requiring the manual reset of approximately 40,000 servers—a more complex process than that faced by other airlines.[1][4][14] Delta also cited the failure of its crew-tracking system as a key factor in its delayed recovery. Without access to crew location data, the airline was unable to restore operations efficiently.[1][3][11][17]

The crew-tracking system is operated by Kyndryl, but Delta argued that the disruption was caused by incomplete data resulting from the CrowdStrike update, which made the system unusable. Experts also suggested that Delta’s reliance on Windows-based systems may have contributed to its difficulties.[1]

CrowdStrike and Microsoft disputed Delta’s explanation, attributing the delay to outdated IT infrastructure and a lack of modernization.[14][9][7][5][18][2] CrowdStrike also stated that Delta declined multiple offers of assistance from the company and its partners, though Delta later claimed those offers came too late.[13] In legal filings, CrowdStrike alleged that Delta had various technical deficiencies, including issues with security practices, compromised credentials, and a custom script that it said reflected poor system hygiene.[6]

The U.S. Department of Transportation (DOT) opened an investigation into Delta Air Lines’ response to the outage. The department later classified the flight delays and cancellations resulting from the July 19, 2024, incident as a “controllable” event, placing responsibility for the disruptions on the airline.[4][5][6][15][2]

Lawsuit

[edit]

Delta Air Lines filed a lawsuit against CrowdStrike on October 25, 2024, approximately three months after the outage on July 19.[2][19][7] Prior to the filing, Delta had sent letters to CrowdStrike on July 29 and August 8, 2024, indicating its intent to take legal action.[6][10]

The lawsuit was filed in the Superior Court of Fulton County, Georgia, where Delta is headquartered in Atlanta.[13]

In its initial lawsuit, Delta Air Lines brought several claims against CrowdStrike in connection with the faulty software update and the resulting disruptions. Key allegations included:

  • Breach of contract[2][19]
  • Gross negligence, with Delta alleging that CrowdStrike failed to properly test and validate the update prior to deployment. Delta claimed that the error could have been discovered by testing on a single computer and characterized the conduct as “grossly negligent, and indeed willful, misconduct”.[19][8][6][10][5][14]
  • Deceptive and unfair business practices, a claim that was later dismissed by a Georgia state judge.[14][2]
  • Computer trespass, based on allegations that CrowdStrike deployed the update without authorization, despite Delta opting out of automatic updates. Delta also claimed that the Falcon software created and exploited an unauthorized access point in Windows.[19][14]
  • Fraud, a narrowed claim asserting that CrowdStrike had falsely promised not to introduce an unauthorized “back door” into Delta’s systems.[19][8][10]

Delta Air Lines described the software update from CrowdStrike as “catastrophic” and claimed it had “forced untested and faulty updates” onto its customers.[2][7] Delta sought to recover more than $500 million in direct losses, as well as additional damages for lost profits, legal expenses, reputational harm, and anticipated future revenue loss.[2][7][10][5] The airline estimated its total losses at approximately $550 million, offset by $50 million in fuel savings.[10][2][8][16]

CrowdStrike denied the allegations, describing Delta’s claims as “far-fetched” and asserting that the lawsuit was not valid under Georgia law due to contractual limitations on liability.[10][16][6][3] The company attributed Delta’s prolonged recovery to outdated IT systems and an alleged refusal of assistance.[5]

On the same day Delta filed its complaint in state court, CrowdStrike filed a separate lawsuit in federal court. The filing sought a declaratory judgment that its liability was limited under the Subscription Services Agreement between the companies.[2][10][19]

In May 2025, a Georgia state judge ruled that Delta Air Lines could proceed with claims of gross negligence, computer trespass, and a narrowed fraud allegation against CrowdStrike.[8][13][10] The court dismissed other claims, including intentional misrepresentation, fraud by omission, product liability, and deceptive business practices.[14]

The judge found that Delta had sufficiently alleged unauthorized access for the computer trespass claim and that it was plausible the update had not been properly tested or deployed in stages. However, the ruling indicated that any potential damages may be limited under the parties’ contract, likely amounting to a figure in the single-digit millions, rather than the $500 million Delta initially sought.[10]

Case status

[edit]

In May 2025, a Georgia state court ruled that Delta Air Lines could proceed with most of its lawsuit against cybersecurity firm CrowdStrike. Judge Kelly Lee Ellerbe of the Fulton County Superior Court allowed Delta to pursue claims of gross negligence and computer trespass.[8][10][13]

Judge Ellerbe noted that Delta alleged CrowdStrike could have detected the programming error by testing the July update on a single computer before deployment.[10] The ruling also cited a statement by CrowdStrike’s president, who publicly acknowledged that the company had done something “horribly wrong.”[20]

While the court allowed Delta’s claims of gross negligence and computer trespass to proceed, it dismissed the airline’s fraud claims related to statements made before June 2022.[21] However, the court permitted a limited fraud claim concerning allegations that CrowdStrike falsely promised not to install an “unauthorized back door” into Delta’s systems.[10][22]

Delta-CrowdStrike contract

[edit]

CrowdStrike is a cybersecurity company known for its Falcon platform, which provides services such as endpoint protection and threat intelligence.[12][6][1] A central component of the platform is the Falcon sensor, a software agent installed on endpoint devices to monitor and respond to security threats.[6]

Delta Air Lines entered into a contractual relationship with CrowdStrike under a Subscription Services Agreement (SSA) effective June 30, 2022.[12][6][2][7] Under the agreement, CrowdStrike was authorized to access Delta’s computer systems to provide subscription-based cybersecurity services. The SSA included a warranty from CrowdStrike stating it would use commercially reasonable efforts to avoid introducing unauthorized access points, such as “back doors,” “time bombs,” “Trojan horses,” or similar software.[12]

The agreement also contained provisions limiting liability. Section 9.1 capped each party’s liability to twice the amount paid for the relevant subscription term. Section 9.2 excluded liability for indirect, incidental, punitive, or consequential damages, including lost revenue, profits, or goodwill. These limitations did not apply in cases involving gross negligence or willful misconduct.[12][6]

Following the outage, CrowdStrike identified the cause of the issue and issued a fix within hours, reversing the faulty update 78 minutes after its initial deployment. The company stated that it worked with affected customers, including Delta Air Lines, and offered assistance through personnel, partners, and on-site support.[6]

Despite the disruption, Delta continues to use CrowdStrike’s cybersecurity products and services. CrowdStrike’s stock declined sharply after the incident but has since largely recovered.[9][3][14]

CrowdStrike v. Delta federal countersuit

[edit]

In response to Delta's lawsuit, CrowdStrike filed a separate lawsuit in federal court in the U.S. Northern District of Georgia. The federal case seeks a declaratory judgment concerning the contractual relationship between the two companies and aims to limit CrowdStrike’s legal liability.[6][23]

CrowdStrike argues that the dispute should be governed by its existing services agreement with Delta, which includes provisions limiting liability and excluding certain types of damages unless gross negligence or willful misconduct is proven, which are claims the company denies. CrowdStrike contends that federal court is the appropriate venue due to the involvement of federal statutes cited in related passenger class actions.[6][23]

In its court filing, CrowdStrike acknowledged that a software update caused the outage but stated that it promptly released a fix. The company claims that most affected airlines recovered quickly and attributes Delta’s extended disruption to the airline’s IT infrastructure and its choice not to accept CrowdStrike’s technical support.[6][23]

Federal class action lawsuit

[edit]

On June 19, 2025, the U.S. District Court for the Western District of Texas dismissed a federal class action lawsuit against CrowdStrike filed by airline passengers affected by the July 2024 outage.[24] Judge Robert Pitman found that the claims were preempted by the federal Airline Deregulation Act, which limits state-level legal actions related to airline services.[25]

The court held that “the plaintiffs here bring their suit against CrowdStrike, rather than against the airlines themselves, does not prevent ADA preemption.”[10] The ruling effectively shields CrowdStrike from consumer class action lawsuits related to airline service disruptions.[26]

See also

[edit]

References

[edit]
  1. ^ a b c d e f g h i j k l m n "Why the CrowdStrike crash hit Delta harder". www.travelweekly.com. Retrieved 2025-05-29.
  2. ^ a b c d e f g h i j k l m n "Delta Air Lines Launches Lawsuit Against CrowdStrike Over July Outage". www.asisonline.org. Retrieved 2025-05-29.
  3. ^ a b c d Goswami, Rohan (2024-12-17). "CrowdStrike moves to dismiss Delta Air Lines suit, citing contract terms". CNBC. Retrieved 2025-05-29.
  4. ^ a b c d e f Yildirim, Leslie (2024-07-31). "Delta CEO says CrowdStrike-Microsoft outage cost the airline $500 million". CNBC. Retrieved 2025-05-29.
  5. ^ a b c d e f g Wheeler, Kitty (2024-10-28). "Delta & CrowdStrike Global IT Outage: Explained". technologymagazine.com. Retrieved 2025-05-29.
  6. ^ a b c d e f g h i j k l m n o p q r s t CrowdStrike, Inc. vs Delta Air Lines, Inc. (United States District Court for the Northern District of Georgia 2024), Text.
  7. ^ a b c d e f g "Delta sues CrowdStrike over software update that prompted mass flight disruptions | CNN Business". CNN. 2024-10-26. Retrieved 2025-05-29.
  8. ^ a b c d e f g h i j "Delta allowed to proceed with lawsuit against CrowdStrike over outage". FOX 5 Atlanta. 2025-05-20. Retrieved 2025-05-29.
  9. ^ a b c d e Alspach, Kyle. "CrowdStrike Seeks Dismissal For Most Of Delta Lawsuit Claims". www.crn.com. Archived from the original on 2025-02-01. Retrieved 2025-05-29.
  10. ^ a b c d e f g h i j k l m n o Stempel, Jonathan (2025-05-19). "Delta can sue CrowdStrike over computer outage that caused 7,000 canceled flights". Reuters. Retrieved 2025-05-29.
  11. ^ a b CBS News (2024-07-23). Delta struggles to recover from global tech outage. Retrieved 2025-05-29 – via YouTube.
  12. ^ a b c d e https://regmedia.co.uk/2025/05/21/order_crowdstrike.pdf [bare URL PDF]
  13. ^ a b c d e "Delta's lawsuit against CrowdStrike given go-ahead".
  14. ^ a b c d e f g h i j Riley, Kim (2025-05-28). "Georgia judge dismantles most of Delta's $500M lawsuit against CrowdStrike - Transportation Today". Transportation Today. Retrieved 2025-05-29.
  15. ^ a b Raby, Dan (2025-05-09). "Delta must face class action lawsuit over CloudStrike outage, judge rules". FOX 5 Atlanta. Retrieved 2025-05-29.
  16. ^ a b c Klint, Matthew (2025-05-21). "Delta's $500M Lawsuit Against CrowdStrike Moves Ahead—But Passengers Are Suing Too". Live and Let's Fly. Retrieved 2025-05-29.
  17. ^ "Why Delta Was Hit So Hard by the Global IT Outage". Aviation Pros. 2024-07-22. Retrieved 2025-05-29.
  18. ^ Atlanta News First (2024-08-06). Microsoft blames Delta for airline's long recovery from global tech outage. Retrieved 2025-05-29 – via YouTube.
  19. ^ a b c d e f Josephs, Jordan; Novet, Leslie (2024-10-25). "Delta, CrowdStrike sue each other over widespread IT outage that caused thousands of cancellations". CNBC. Retrieved 2025-05-29.
  20. ^ Kobie, Nicole (2025-05-20). "CrowdStrike prepares for battle as Delta given go-ahead for outage lawsuit". IT Pro. Retrieved 2025-06-25.
  21. ^ Novinson, Michael. "Judge Lets Delta Lawsuit Over CrowdStrike Outage Proceed". www.bankinfosecurity.com. Retrieved 2025-06-25.
  22. ^ "Delta can sue CrowdStrike over computer outage that caused 7,000 canceled flights". The Economic Times. 2025-05-20. ISSN 0013-0389. Retrieved 2025-06-25.
  23. ^ a b c "CrowdStrike-Delta lessons for third-party risk management". Freeman Mathis & Gary. 2024-11-12. Retrieved 2025-05-29.
  24. ^ Fullerton, Adam (2025-06-19). "Class action lawsuit over CrowdStrike outage that grounded planes dismissed by US court". FOX 7 Austin. Retrieved 2025-06-25.
  25. ^ Novinson, Michael (2025-06-19). "Judge Axes Flight Disruption Suit Tied to CrowdStrike Outage". www.bankinfosecurity.com. Retrieved 2025-06-25.
  26. ^ "CrowdStrike Legal Battles: Federal Dismissal and Ongoing State Court Fight". www.linkedin.com. Retrieved 2025-06-25.
[edit]
Retrieved from "https://en.wikipedia.org/w/index.php?title=Delta_Air_Lines_v._Crowdstrike&oldid=1303346224"