CrowdStrike shareholders sue, alleging false security claims
A US pension fund is lining up a lawsuit against CrowdStrike, claiming the cyber company lied about the integrity of its systems, leading to failings that caused a worldwide IT outage
CrowdStrike shareholders have filed a lawsuit in the United States in which they claim the cyber security firm made materially false and misleading representations about the integrity of its technology. They also claim that CrowdStrike defrauded them through covering up that inadequate attention to software testing could cause the 19 July incident that saw millions of computers crash around the world.
Based on the currently known facts of the investigation, the outage was caused by a faulty update to the CrowdStrike Falcon managed detection and response (MDR) sensor which was cleared for launch by a bugged automatic content validator. When it hit susceptible Windows systems, it caused an out-of-bounds memory condition leading to a fatal crash.
As a result of the crashes affecting more than eight million computers, organisations in diverse sectors including aviation, education, financial services, healthcare and retail found their operations disrupted, with airlines – particularly Delta Air Lines in the US – very badly affected.
Insurance firm Parametrix estimates Fortune 500 companies alone are set to lose over $5.4bn, and the incident may cost over $15bn when others are taken into account.
In the filing, made at the US District Court for the Western District of Texas in Austin, the Massachusetts-based pension and benefits provider Plymouth County Retirement Association, represented by New York law firm Labaton Keller Sucharow, accuses the defendants, which include CrowdStrike CEO George Kurtz and others, of repeatedly touting the efficacy of its Falcon platform while assuring investors that it was fully “validated, tested and certified” on a March 2024 earnings call.
The fund’s complaint alleges these statements were false and misleading because they failed to disclose that CrowdStrike had instituted “deficient controls” in the Falcon update procedure and was not properly testing them prior to rolling them out.
The lawsuit further contends that this “inadequate” software testing caused a substantial risk that a Falcon update could cause a serious outage of the type seen in July, and that these outages could, and did, create “substantial reputational harm and legal risk”.
Ultimately, the claimant says, this led to CrowdStrike stock – which has taken a hammering on global markets – to trade at “artificially high prices”.
In a statement to media, a CrowdStrike spokesperson said: “We believe the case lacks merit and will vigorously defend the company.”
Delta boss: We have no choice but to sue
Meanwhile, others, including Delta, are also mounting legal cases against CrowdStrike in the wake of the incident. Delta has hired star lawyer David Boies, who has previously fought against Microsoft in a 1990s anti-trust case, and served as lead counsel for former vice-president Al Gore in challenges to the 2000 Florida vote count.
Speaking to US network CNBC on 31 July, Delta CEO Ed Bastian said all its systems were now working, but that the experience had been “terrible” and apologised again to affected passengers, who included American athletes headed to the Paris Olympics, and staff.
“We are heavy with both [Microsoft and CrowdStrike]. We are by far the heaviest in the industry with both and so we got hit the hardest in terms of the recovery capability,” said Bastian.
Bastian said that as both CrowdStrike and Microsoft compete in the cyber security arena, they don’t partner together as effectively as joint customers might hope, and that the incident had been a call to organisations to hold technology firms’ feet to the fire in terms of responsible cooperation.
“This cost us a half a billion dollars,” he said, adding that Delta had “no choice” but to sue, citing significant expenditure every day for almost a week on compensating and providing temporary hotel accommodation for thousands of stranded passengers.
“If you’re going to be having priority access to the Delta ecosystem in terms of technology, you’ve got to test the stuff. You can’t come into a mission-critical 24/7 operation and tell us we have a bug, it doesn’t work,” he said.
Read more Computer Weekly and TechTarget coverage of the CrowdStrike incident
- 19 July 2024: An update to CrowdStrike’s Falcon service has led to many Windows users being unable to work this morning. Microsoft 365 is also affected.
- The Emis Web IT system used by more than half of GP practices in the UK is down, following the worldwide Microsoft outage.
- The global outage of Microsoft is rapidly sending shockwaves across all sectors, demonstrating the risk of having a single point of failure.
- A CrowdStrike update with a faulty sensor file has global implications for Windows systems. But competitors need to limit the finger-pointing in case it happens to them.
- As organisations recover from today’s outages, the cyber security industry will need to develop new security software evaluation criteria and requirements and learn to parlay risks.
- 22 July: About 8.5 million devices globally were hit by the botched CrowdStrike update, with a significant number now back online and operational.
- The concentration of so much mission-critical technology in the hands of a few large suppliers makes incidents like the Microsoft-CrowdStrike outage all the more dangerous.
- Financially motivated cyber criminals are already conducting opportunistic attacks on organisations that leverage the CrowdStrike incident, and more targeted attacks are sure to follow.
- 23 July: The ‘blue screen of death’ signals a catastrophic Windows failure, which is exactly what many people faced on 19 July 2024 – but why did it happen? One former Microsoft engineer has a theory.
- Disaster recovery has centered on cyberattacks the past few years, but the CrowdStrike outage illustrates why companies can't forget about traditional business continuity.
- 24 July: Enterprises that emerged unscathed from the roll-out of the botched CrowdStrike software update are being urged to view it as a wake-up call rather than a lucky escape.
- The largest global organisations hit by the CrowdStrike - Microsoft incident on 19 July will likely be out of pocket to the tune of billions of dollars.
- CrowdStrike publishes the preliminary findings of what will be a lengthy investigation into the root causes of the failed 19 July update that caused Windows computers to crash all over the world.
- 25 July: Microsoft has pointed the finger at EU reguators, blaming them for a ruling that means it needs to offer third parties like CrowdStrike access to the core Windows OS.
- 26 July: Experts say efforts to avoid incidents such as last week's CrowdStrike outage will face time-honoured tradeoffs between velocity, stability, access and security.
- CrowdStrike customers grappling with blue screens of death from the recent IT outage may be able to sidestep BitLocker encryption schemes and recover their Windows systems.
- 29 July: The vast majority of CrowdStrike Falcon sensors affected by a coding error have now been recovered, with a final resolution expected this week.
- Malicious domains exploiting CrowdStrike’s branding are popping up in the wake of the 19 July outage. Experts share some noteworthy examples, and advice on how to avoid getting caught out.
- 30 July: Microsoft will explore alternatives to direct kernel access for partners following the CrowdStrike outage. But some IT pros worry that change could do more harm than good.
- Enterprises with the IT talent might turn to open-source software as a backup for commercial products to mitigate damage from a CrowdStrike-like IT outage.
- 31 July: Following the CrowdStrike outage, experts recommended that health IT security practitioners focus on building resilience and tackling third-party risk.
- Communications are critical during an emergency. This is especially true for highly unpredictable disruptions, such as the recent CrowdStrike outage.
