Incident & Breach Response , Legislation & Litigation , Security Operations
CrowdStrike Has Yet to See Any Customer Lawsuits Over Outage
'We Don't Know How It's All Going to Shake Out,' Says CFO, 6 Weeks Post-OutageU.S. cybersecurity firm CrowdStrike - despite its role in a meltdown of millions of Windows computers and despite being based in the most litigious country in the world - has yet to see any lawsuits be filed against it by customers following its July 19 software update gone horribly wrong.
See Also: Cyber Insurance Assessment Readiness Checklist
"As of this morning, to the best of my knowledge, we actually haven't seen a lawsuit against us by a customer for the incident," said CrowdStrike CFO Burt Podbere on Wednesday. "So we don't know how it's all going to shake out."
Delta Air Lines more than a month ago very publicly threatened to sue both CrowdStrike and Microsoft to recover what it said were $500 million in damages it suffered due to the disruption. The two tech companies responded by suggesting Delta's own IT investments and planning might have compounded its outage, especially when its competitors recovered so much more quickly (see: Delta Versus CrowdStrike and Microsoft: Accusations Fly).
More than six weeks post-outage, credit for CrowdStrike's current legal situation appears to mainly rest on the endpoint detection and response giant's rapid and very public response. It also appears to have been waging a "hearts and minds" campaign, including via bespoke "customer commitment packages," to try and refocus discussions on what happens next.
The company's rapid response earned it kudos from multiple customers, including Delta board member David DeWalt, who formerly served as CEO of McAfee and FireEye. He said CrowdStrike's CEO called him just hours after the incident began and that the cybersecurity vendor worked closely to support Delta's CISO and IT teams.
CrowdStrike said it moved to immediately support customers, rolling out tools to help restore systems, backed by 24x7 service. Microsoft also released tools and helped multiple CrowdStrike customers restore systems. CEO George Kurtz very quickly hopped onto television to apologize and detail what the company was doing to help customers respond. Behind the scenes, Kurtz and other executives were reaching out directly, offering help and promising to put things right (see: CrowdStrike Debuts Safeguards, Seeks to Blunt Outage Impact).
Podbere said the specific incentives vary by customer and how much the faulty software update affected their operations. He said they might include free, extended trials of products for the length of an already existing contract or perhaps up to a year; extending existing contracts for free; offering free training; or some other permutation. "It's not one-size-fits-all. But it's there as a tool for the sales team to start the dialogue, and that's what we're trying to achieve today is start a dialogue."
The company also published a preliminary report into the incident, followed by a more robust root cause analysis. Both placed the blame for the faulty update squarely on CrowdStrike's shoulders, saying a bug in its testing process failed to prevent an update from crashing its Falcon software agent, triggering nonstop rebooting to a Windows "blue screen of death."
Weeks later, discussions with customers are less fraught. "As time goes on, that does get easier because we're moving further away from the sun. And that's how we think about it," Podbere said.
CrowdStrike's quarter ended July 31, and the company reported that its net annual recurring revenue, or ARR, increased by 11%. "It would have been a lot more than that," Podbere said, except the outage led to multiple deals in its sales pipeline - worth $60 million in total - being delayed and not closing, although the company still expects them to do so in a future quarter.
Podbere said other big deals have since closed, including "a 9-figure total contract value deal" as well as another "8-figure deal."
Despite so far not seeing any customer lawsuits, CrowdStrike is facing a putative class action lawsuit from investors arguing they were misled by the company and told its technology was "validated, tested and certified" before the faulty update triggered the global IT outage.
Whether that lawsuit might succeed remains unclear.
Outages involving faulty antivirus software updates aren't new and have affected everyone from McAfee and Symantec to Kaspersky and Microsoft's own Windows Defender. "Every security solution on the planet has had their CrowdStrike moments," Costin Raiu, who led Kaspersky's threat intelligence team for 23 years before departing last year, told Wired.
"This is nothing new but the scale of the event," Raiu said (see: CrowdStrike, Microsoft Outage Uncovers Big Resiliency Issues).
Clearly, another disruption of this magnitude would be unwelcome. Multiple government agencies, security experts and vendors are calling on Microsoft to rearchitect Windows in such a way that security tools can continue to get needed functionality, potentially still via kernel-level access, but in such a way that if things fail, the operating system will be able to automatically recover. Microsoft is holding a private summit Tuesday with industry and government representatives to detail its proposed next steps (see: After CrowdStrike Outage: Time to Rebuild Microsoft Windows?).