Microsoft, SecOps pros weigh kernel access post-CrowdStrike Scam CrowdStrike domains growing in volume

CrowdStrike shareholders sue, alleging false security claims

A US pension fund is lining up a lawsuit against CrowdStrike, claiming the cyber company lied about the integrity of its systems, leading to failings that caused a worldwide IT outage

CrowdStrike shareholders have filed a lawsuit in the United States in which they claim the cyber security firm made materially false and misleading representations about the integrity of its technology. They also claim that CrowdStrike defrauded them through covering up that inadequate attention to software testing could cause the 19 July incident that saw millions of computers crash around the world.

Based on the currently known facts of the investigation, the outage was caused by a faulty update to the CrowdStrike Falcon managed detection and response (MDR) sensor which was cleared for launch by a bugged automatic content validator. When it hit susceptible Windows systems, it caused an out-of-bounds memory condition leading to a fatal crash.

As a result of the crashes affecting more than eight million computers, organisations in diverse sectors including aviation, education, financial services, healthcare and retail found their operations disrupted, with airlines – particularly Delta Air Lines in the US – very badly affected.

Insurance firm Parametrix estimates Fortune 500 companies alone are set to lose over $5.4bn, and the incident may cost over $15bn when others are taken into account.

In the filing, made at the US District Court for the Western District of Texas in Austin, the Massachusetts-based pension and benefits provider Plymouth County Retirement Association, represented by New York law firm Labaton Keller Sucharow, accuses the defendants, which include CrowdStrike CEO George Kurtz and others, of repeatedly touting the efficacy of its Falcon platform while assuring investors that it was fully “validated, tested and certified” on a March 2024 earnings call.

The fund’s complaint alleges these statements were false and misleading because they failed to disclose that CrowdStrike had instituted “deficient controls” in the Falcon update procedure and was not properly testing them prior to rolling them out.

The lawsuit further contends that this “inadequate” software testing caused a substantial risk that a Falcon update could cause a serious outage of the type seen in July, and that these outages could, and did, create “substantial reputational harm and legal risk”.

Ultimately, the claimant says, this led to CrowdStrike stock – which has taken a hammering on global markets – to trade at “artificially high prices”.

In a statement to media, a CrowdStrike spokesperson said: “We believe the case lacks merit and will vigorously defend the company.”

Delta boss: We have no choice but to sue

Meanwhile, others, including Delta, are also mounting legal cases against CrowdStrike in the wake of the incident. Delta has hired star lawyer David Boies, who has previously fought against Microsoft in a 1990s anti-trust case, and served as lead counsel for former vice-president Al Gore in challenges to the 2000 Florida vote count.

Speaking to US network CNBC on 31 July, Delta CEO Ed Bastian said all its systems were now working, but that the experience had been “terrible” and apologised again to affected passengers, who included American athletes headed to the Paris Olympics, and staff.

“We are heavy with both [Microsoft and CrowdStrike]. We are by far the heaviest in the industry with both and so we got hit the hardest in terms of the recovery capability,” said Bastian.

Bastian said that as both CrowdStrike and Microsoft compete in the cyber security arena, they don’t partner together as effectively as joint customers might hope, and that the incident had been a call to organisations to hold technology firms’ feet to the fire in terms of responsible cooperation.

“This cost us a half a billion dollars,” he said, adding that Delta had “no choice” but to sue, citing significant expenditure every day for almost a week on compensating and providing temporary hotel accommodation for thousands of stranded passengers.

“If you’re going to be having priority access to the Delta ecosystem in terms of technology, you’ve got to test the stuff. You can’t come into a mission-critical 24/7 operation and tell us we have a bug, it doesn’t work,” he said.

Read more Computer Weekly and TechTarget coverage of the CrowdStrike incident

Read more on Application security and coding requirements