The Blue Screen of Death: CrowdStrike’s Problematic Software Update Upends the Travel Industry

By: Noah Plafker

On July 19, 2024, the world was introduced to the “blue screen of death.”  People would soon become accustomed to the upside down smiley face, because within a few hours most of the world would be turned upside down in what could be considered the biggest IT outage in history.  CrowdStrike is an American based cybersecurity company that provides services intended to stop breaches, ransomware, and cyberattacks.  The worldwide outage was due to a faulty update the company released, which had been deployed to computers around the world running Microsoft.  CrowdStrike was launched in 2012 and their cybersecurity software is now used by 300 of the Fortune 500 Companies, which includes banks, energy companies, food companies, healthcare companies, and airlines, who specifically were hit hard by the outage and continue to face obstacles such as pending class action lawsuits.

While millions were affected worldwide, one of the biggest industries disturbed were the airlines.  By the afternoon of July 19, there was purportedly more than 4,000 flight cancellations and 35,000 flight delays globally.  In the United States, the three largest airlines, American Airlines, United Airlines, and Delta Airlines, requested that the Federal Aviation Administration (“FAA”) order a ground stop; which is a safety tool used by the FAA in which they order air traffic controllers to require aircraft to remain on the ground at their originating airport.  The subtle blue screen caused wide disruptions all around the world and although CrowdStrike deployed a fix in just 79 minutes, services and industries around the globe would feel the effects for months to come.

The Microsoft Windows update deployed by CrowdStrike will have a significant ripple effect, directly impacting the profits of major global industries.  Services like hospitals, financial institutions and airlines are all reporting significant losses, with the healthcare industry claiming the highest amount.  Because of the faulty update, hospitals were forced to delay appointments and delay services, which is estimated to have cost the industry $1.94 billion.  The financial industry will incur losses close to a billion dollars and the aviation industry losses are estimated to be at $860 million.

The real issue is not just that these companies are losing money; it’s that a single faulty update triggered a ripple effect so severe, it nearly brought global operations to a standstill.  This is especially prevalent in the aviation industry.  Airlines face flight delays and cancellations daily, however, the sheer magnitude that this single disruption has had on airlines throughout the past few months is unprecedented.  For example, of the big three airlines in the United States, United Airlines, American Airlines and Delta Airlines, Delta has been hit hardest by the IT outage.  Most flights and airlines were back on normal schedules by the end of the weekend, however, Delta failed to resume normal flight operations, continuing to cancel flights into the following weeks, and even through the end of the month.  Following the outage and the outrage from passengers, Delta has tried to take steps in order to reimburse its customers, but this has led to many disputes and unsatisfied passengers.

Delta has been hit with multiple class action lawsuits from passengers who were affected by the IT outage.  One group of passengers has filed a putative class action suit in the United States District Court of the Northern District of Georgia, asserting that Delta violated its policies to provide flight refunds, hotel accommodations and related expenses when flights were canceled.  They claim Delta breached their contract with customers, resulting in them spending more money for alternative transportation methods.  Members of the class action claim they incurred losses ranging from $1,500 to $10,000 and have yet to be reimbursed by Delta.  In the United States, there are laws in place to help make sure passengers get reimbursed by air carriers.  Just recently the Biden administration announced that the U.S. Department of Transportation (“DOT”) issued a new rule outlined in 49 U.S.C.S §42305, that would require passengers to promptly be provided cash refunds from airlines due to flight cancellations or significant delays.  These statutes outline requirements for air carriers to provide refunds for cancelled or significantly delayed flights to, from, or within the United States.  The IT outage effected thousands of businesses worldwide and the fact remains that Delta still has a legal obligation to refund and accommodate all passengers who were affected.

The point is that the IT outage affected millions across the globe and created a massive headache for both industry leaders as well as everyday people, while also outlining the real effects of an actual widespread cybersecurity attack.  This CrowdStrike incident has exposed just how unprepared we are to face modern cybersecurity threats.  If this had been a real cybersecurity threat, the fallout could have been much more disastrous than not getting refunded or missing your cruise vacation due to delayed flights.  Everything in our world today is digitally connected and an outage like this affects things from our food supply to our energy systems.  We should count ourselves lucky that this incident occurred on the scale it did and was only a faulty software update rather than a malicious attack.  Companies and all of humanity can look at this event and understand that cyberattacks are the new era of threats that our world faces.

In just over a month, the United States will face a pivotal presidential election, and it’s crucial to recognize that this recent faulty update could serve as a warning.  It illustrates what a real attack on our voting systems by a malicious external adversary might look like.  This is the kind of example that underscores why we need to become better versed in data protection and aware of the potential issues society could face in the wake of a real IT cyberattack.  As frightening as it is to imagine, the world we live in is one that runs on technology and it is only going to keep advancing, which is what we need to do as well.

It has been a few months since CrowdStrike’s faulty update and the need for answers is still prevalent.  The U.S. House of Representatives Subcommittee on Cybersecurity and Infrastructure Protection will hold a hearing in late September that will feature testimony from a senior executive at CrowdStrike.  The goal of this hearing is to hopefully unveil how this incident happened, the steps being taken to ensure it does not happen again, and to reassure Americans and the people around the world that actions need to be taken both in the public and private technology sectors to ensure everyone is safe from a potential real cyberattack.

 

Student Bio: Noah Plafker is a second-year law student at Suffolk University Law School.  He is a staff member for the Journal of High Technology Law and received a Bachelor of Arts degree in Political Science from the University of Colorado Boulder.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.

 

Print Friendly, PDF & Email