Microsoft and CrowdStrike have defended themselves against a series of accusations by Delta, saying the US airline, which was particularly badly hit during the 19 July software outage, rejected their offers of help and had only itself to blame for cancelling thousands of flights, including some scheduled to deliver American athletes to the Paris Olympics.
As a legal battle takes shape between the three organisations, Delta CEO Ed Bastian last week told US news channel CNBC that he had no choice but to sue CrowdStrike, citing the significant sums his business spent on compensating stranded passengers. He also accused the two suppliers of failing to properly collaborate to ensure such technical issues did not arise.
However, following representations to both companies by Delta’s lawyer, David Boies, Microsoft’s representatives accused Bastian and Delta of misrepresenting the facts of the incident.
“Microsoft empathises with Delta and its customers … but your letter and Delta’s public comments are incomplete, false, misleading, and damaging to Microsoft and its representation,” wrote Mark Cheffo of New York law firm Dechert LLP.
“Even though Microsoft’s software had not caused the CrowdStrike incident, Microsoft immediately jumped in and offered to assist Delta at no charge following the 19 July outage.
“Each day that followed from July 19 through July 23, Microsoft employees repeated their offers to help Delta. Each time, Delta turned down Microsoft’s offers to help, even though Microsoft would not have charged Delta for this assistance,” he added.
Cheffo went on to say that on 24 July, Microsoft CEO Satya Nadella had personally reached out to Bastian by email, but was ignored.
The letter further accused Delta of refusing Microsoft’s assistance because the parts of its IT estate that it was struggling to restore – its crew-tracking and scheduling systems – were serviced by providers “such as IBM” and do not run on Microsoft Windows or in the Azure cloud.
Outdated IT infrastructure
Cheffo added: “Microsoft continues to investigate the circumstances surrounding the CrowdStrike incident to understand why other airlines were able to fully restore business operations so much faster than Delta, including American Airlines and United Airlines.
“Our preliminary review suggests that Delta, unlike its competitors, apparently has not modernised its IT infrastructure, either for the benefit of its customers or for its pilots and flight attendants.”
He said Microsoft would “vigorously defend” itself against any litigation should Delta pursue it.
Meanwhile, over the weekend of 4-5 August, CrowdStrike’s legal representative Michael Carlinsky of Quinn Emanuel also spoke up for the embattled cyber security supplier, whose tainted rapid response update caused the series of crashes that downed the systems of Delta and others.
In a letter to Boies, Carlinsky wrote: “CrowdStrike is highly disappointed by Delta’s suggestions that CrowdStrike acted inappropriately and strongly rejects any allegation that it was grossly negligent or committed wilful misconduct,” he said.
He wrote that CrowdStrike had also reached out to Delta to offer assistance and that CEO George Kurtz had also reached out to Bastian but, like Nadella, “received no response”.
‘Misleading narrative’
“CrowdStrike followed up with Delta on the offer for onsite support and was told that the onsite resources were not needed. To this day, CrowdStrike continues to work closely and professionally with the Delta information security team,” wrote Carlinsky.
“Delta’s public threat of litigation distracts from this work and has contributed to a misleading narrative that CrowdStrike is responsible for Delta’s IT decisions and response to the outage.”
He warned that should a court case ensue, Delta would have to explain a number of points, including why its competitors were able to recover so much quicker and why it turned down offers of help, and answer questions over the design and operational resilience of its IT systems, particularly with regard to updates.
In a statement provided to Computer Weekly’s sister title TechTarget Security, a CrowdStrike spokesperson said the firm had expressed its regret and apologies to customers.
“Public posturing about potentially bringing a meritless lawsuit against CrowdStrike as a long-time partner is not constructive,” they said.