The meltdown suffered by Delta Air Lines following the CrowdStrike technology outage cost the company “half a billion dollars,” Delta CEO Ed Bastian said in a televised interview Wednesday, vowing to pursue claims against the security firm and Microsoft.
Bastian told CNBC his company was hit hardest among airlines because “we’re by far the heaviest in the industry” in using both CrowdStrike and Microsoft. The July 19 outage, the result of a faulty CrowdStrike security update, hit users of Microsoft applications across the globe.
“So we got hit the hardest in terms of the recovery capability,” Bastian said on CNBC’s Squawk Box show on Wednesday morning, in his first such appearance since the airline’s mass cancellations began.
“This cost us a half a billion dollars,” he said, including lost revenue and tens of millions of dollars a day in compensation to customers and hotel costs.
Delta canceled more than 6,000 flights, stranding hundreds of thousands of passengers with thousands ending up stuck in airports worldwide. Even after Delta got systems back up and running, the airline’s crew tracking system remained overloaded and dysfunctional.
The outage bruised Delta’s reputation as a premiere global airline and for consistent reliability and also triggered a U.S. Department of Transportation investigation into Delta’s treatment of customers.
Atlanta-based Delta has hired law firm Boies Schiller Flexner to pursue potential claims against Microsoft and CrowdStrike.
“We have no choice,” Bastian said. “You can’t come into a mission critical 24/7 operation and tell us we have a bug.”
He added that Delta had more than 40,000 servers it had to physically reset, “and they didn’t all come back on the way they left when they went off.”
“We’re looking to make certain that we get compensated, however they decide to, for what they cost us,” Bastian said.
Liability limitations
One issue for many companies is that standard software license agreements typically shield software makers from much of the liability for outages, according to Jeffrey Vagle, an assistant professor of law at Georgia State University with expertise in cybersecurity law.
“It’s very difficult to hold software vendors liable for their software because of these liability limitations that are in most software terms and conditions,” Vagle said. But, he said, “Delta is maybe not necessarily looking to win in court, but to force a settlement. Because I don’t think CrowdStrike wants to be in the news any longer.”
Emory Law Professor Ifeoma Ajunwa said there’s also a question of negligence and whether this was a foreseeable event, in which case CrowdStrike may have had a duty to ensure it does not impact airlines to such an extent.
She noted large companies would typically have insurance for disruptions that are financially debilitating, though that insurance could be limited and may not cover foreseeable events.
A company like Delta might hire a law firm to pursue potential claims against software providers, but may also hope to get a court ruling to determine if it was an unforeseeable event that is covered by insurance.
As debilitating outages become more prevalent, it could prompt insurance companies to further limit what they cover, arguing that such events are foreseeable and could have been prevented, Ajunwa said.
Well before the CrowdStrike outage, Southwest Airlines in December 2022 had a meltdown of its operations that started during a storm and worsened as days wore on due to problems with its crew scheduling software. Some questioned why Delta didn’t take action to better respond to outages after the Southwest debacle, which exposed that carrier’s outdated crew management system, and other airline disruptions.
On Wednesday, Bastian spoke with Squawk Box hosts in Paris, where Delta is a sponsor of Team USA at the Olympics. Bastian’s departure to Paris last week for the Games as Delta was still grappling with the effects of flight disruptions prompted criticism from some.
From Paris, Bastian said the impact of the outage has “been a wake-up call for me.”
“How do you rethink the fortification?” Bastian said. “We thought we had the best between Microsoft and CrowdStrike. In fact, they’re integrated. That’s what caused a lot of the slowdowns because it was hard to kind of decouple them.”
Ajunwa said companies “really need to think about how they organize their operations to create safeguards to prevent these types of incidents, especially because they now will become foreseeable and will generally not be covered by insurance — even if they are now.”
“We’re reaching an age where a lot of functions that were typically done by humans — booking airlines, booking hotels, etc. — are going to be delegated to AI agents. And so these types of issues are going to become more prevalent,” she said. With so many functions now automated, “it will most likely happen again.”
“What sort of safeguards, what sort of redundancy do they want to build into the system, such that when this happens it doesn’t cripple the whole airline infrastructure?” Ajunwa said.
Federal pressure
While Delta works to address technology shortfalls, airlines are also under pressure to improve treatment of passengers whose flights were disrupted during and after the outage.
On Tuesday, U.S. Transportation Secretary Pete Buttigieg sent letters to Bastian and other airline CEOs emphasizing that he expects carriers to comply with refund requirements that are part of the Federal Aviation Administration Reauthorization Act passed in May.
Buttigieg told airlines they must clearly inform passengers of their right to a cash refund when their flight is canceled or significantly changed and they don’t want to be rebooked — and that if they opt for vouchers or credits instead, they must be valid for at least five years.
“And if airlines tell travelers that they will not offer a refund or give travelers the runaround, passengers will continue to be advised to file a complaint with the DOT Office of Aviation Consumer Protection,” Buttigieg wrote.
___
© 2024 The Atlanta Journal-Constitution
Distributed by Tribune Content Agency, LLC.