Delta sues CrowdStrike over July outage that caused major flight disruptions

Delta Air Lines has filed a lawsuit against cybersecurity firm CrowdStrike, seeking damages after a software update led to a significant outage in July, forcing the airline to cancel around 7,000 flights and impacting over 1.3 million passengers.

The outage, Delta alleges, resulted from a faulty update to CrowdStrike’s Falcon Sensor security software, which reportedly crashed around 8.5 million Windows-based computers worldwide.

Filed in Georgia’s Fulton County Superior Court on October 25, Delta’s suit describes the software update as “catastrophic” and claims it has cost the airline over $500 million in direct and reputational losses.

According to Delta, the incident occurred on July 19 when a security update from CrowdStrike malfunctioned, resulting in widespread system crashes across industries, including banking, healthcare, and media.

Delta asserts that if CrowdStrike had tested the update adequately, it could have avoided this disruption.

Although other airlines affected by the update resumed operations relatively quickly, Delta claims it experienced extended delays due to its reliance on CrowdStrike’s software.

The incident is now under investigation by the US Department of Transportation.

CrowdStrike responded, rejecting Delta’s claims and arguing that Delta’s “antiquated IT infrastructure” and slow recovery exacerbated the disruption.

The cybersecurity firm also suggested that Delta’s allegations reflect a misunderstanding of how modern cybersecurity works, asserting that it has been working closely with Delta’s teams to manage the aftermath of the outage.

Additionally, CrowdStrike’s spokesperson said the company is prepared to defend itself vigorously against Delta's accusations.

The July outage has brought cybersecurity vulnerabilities in the airline industry to the forefront. Delta CEO Ed Bastian criticized both CrowdStrike and Microsoft, asserting that the companies failed to deliver the “exceptional service” expected for a critical system that supports global operations.

Microsoft, whose systems were also affected, has pledged to defend itself against Delta's claims, noting that Delta’s recovery lagged behind other airlines due to insufficient IT modernization.

CrowdStrike’s executives have since expressed regret over the incident, with Senior Vice President Adam Meyers apologizing before Congress and vowing to improve testing procedures.

Microsoft also announced a cybersecurity summit to be held at its Redmond headquarters, aimed at addressing vulnerabilities and developing a more resilient ecosystem in partnership with government and industry leaders.

As Delta’s lawsuit moves forward, the outcome could set a precedent for legal accountability in cybersecurity failures.

The incident has already triggered multiple lawsuits, including a shareholder action against CrowdStrike for allegedly concealing risks associated with insufficient software testing.