CrowdStrike’s legal pressures mount, could blaze path to liability

The CrowdStrike update that hobbled businesses, disrupted consumer travel plans, and took French and British broadcasters offline has predictably led to a host of lawsuits filed by investors and customers of both CrowdStrike and other affected companies.

Yet the incident could lead to another destination: software liability.

The overall consensus among legal experts is that CrowdStrike is likely protected by its terms and conditions from reimbursing customers for more than they paid for the product, limiting its software liability in what the company now refers to as “the Channel File 291 Incident.” However, the fact that affected businesses and consumers have little recourse to recover damages will likely lend momentum to legislation and state regulations to hold firms responsible for such chaos, says Chinmayi Sharma, associate professor of law at Fordham University.

“This is an extremely interesting and important example of why the call for greater software liability is urgent, from the standpoint of protecting critical infrastructure and protecting the consumer,” she says. “There are these massive barriers in existing doctrine that prevent users, licensees, purchasers of software, and third parties from bringing successful lawsuits against software manufacturers, and so I think that this will be an exemplary case of why reform is necessary to address those big barriers.”

On July 19, CrowdStrike pushed an update to its sensors to detect additional attacks that use a particular Windows features known as “named pipes.” According to the firm’s Aug. 6 root-cause analysis, the update — a Channel File numbered 291 — “defined 21 input parameters, but the integration code … supplied only 20 input values to match against.” The difference caused an out-of-bounds memory read, leading the Windows systems that received and applied the update to crash with the blue screen of death.

The bad update affected 8.5 million computers, caused at least $5.4 billion in damages to the Fortune 500, and caused widespread operational disruption, particularly among airlines and healthcare firms.

In a statement filed with the SEC on August 8, Delta — the worst-hit airline — estimated a $380 million direct revenue impact due to its refunding of customers for canceled flights and $170 million in recovery costs. The company canceled 7,000 flights over five days, angering its customers but also leading to a scant savings of $50 million in fuel due to the cancellations.

“An operational disruption of this length and magnitude is unacceptable, and our customers and employees deserve better,” said Ed Bastian, CEO of Delta, in the filing. “We are pursuing legal claims against CrowdStrike and Microsoft to recover damages caused by the outage, which total at least $500 million.”

Lawsuits Already on Tap

Delta is far from the only lawsuit. CrowdStrike is facing class-action lawsuits from investors after its stock price plummeted more than 36%, from $343 on July 18 — the day before the bad update — to less than $218 on Aug. 2.

The incident has resulted in numerous shareholder lawsuits, and not just against CrowdStrike, but against Delta as well. A sampling of current lawsuits:

To read the complete article, visit Dark Reading.