Delta allowed to proceed with lawsuit against CrowdStrike over outage

ATLANTA - A Georgia judge has ruled that Delta Air Lines can move forward with most of its lawsuit against cybersecurity firm CrowdStrike, accusing the company of gross negligence in a software update that caused a catastrophic computer failure and disrupted global air travel last summer, according to Reuters.

A spokesperson for Delta sent the following statement to FOX 5 Atlanta:

"We are pleased by the ruling and remain confident in the merits of our claims against CrowdStrike."

PREVIOUS STORIES

• Delta must face class action lawsuit over CloudStrike outage, judge rules
• Delta sues cybersecurity firm CrowdStrike over tech outage that canceled flights
• Legal battle between Delta, CrowdStrike heats up with matching lawsuits over outage
• CrowdStrike fires back against Delta threat over flight outages
• Delta meltdown: US DOT opens investigation to CrowdStrike outage, backlog being reduced
• Flight delays may ripple through weekend at Atlanta's airport due to CrowdStrike outage

What we know:

The decision, issued Friday by Fulton County Superior Court Judge Kelly Lee Ellerbe, allows Delta to argue that CrowdStrike's July 2024 update to its Falcon cybersecurity platform was defective and directly responsible for the cancellation of more than 7,000 Delta flights. The glitch impacted over 8 million Microsoft Windows-based devices worldwide, including critical systems used by Delta.

Judge Ellerbe noted that Delta provided enough evidence to support its claim that a simple test on a single machine could have revealed the programming flaw before the software was rolled out. She also cited a public admission by CrowdStrike’s president that the company had done something "horribly wrong."

In addition to the negligence claim, Delta is also being permitted to pursue a charge of computer trespass, and a limited fraud claim alleging CrowdStrike had falsely assured the airline it would not introduce unauthorized access points—commonly referred to as "back doors"—into its systems.

The other side:

CrowdStrike sent the following statement to FOX 5 Atlanta:

"We're pleased several Delta claims have been rejected, and are confident the rest will be contractually capped in the single-digit-millions of dollars or otherwise found to be without merit."

According to Crowdstrike, while the Georgia judge allowed several of Delta’s key claims against CrowdStrike to proceed, the court also narrowed the scope of the lawsuit considerably.

CrowdStrike claims the court expressed skepticism toward many of Delta's legal theories and emphasized that Georgia’s economic loss rule significantly restricts the ability to recover damages outside the contract. While Delta’s gross negligence claim reportedly survived based on an alleged "confidential relationship," the court noted such relationships are rarely recognized in arm’s-length business agreements and only allowed the claim to move forward under the liberal standards at this early phase of litigation.

Additionally, the judge reportedly acknowledged CrowdStrike’s liability cap under its agreement with Delta and found no substantive basis—at this stage—for Delta’s computer trespass claim beyond basic allegations.

The backstory:

Delta, which is headquartered in Atlanta, filed the lawsuit three months after the July 19 outage that impacted roughly 1.4 million of its passengers. The airline says it suffered $550 million in losses from cancellations, delays, and operational costs, though it recouped about $50 million in fuel savings.

The incident affected other carriers as well, but Delta’s recovery was notably slower. Earlier this month, a separate federal judge ruled that Delta must also face a proposed class action lawsuit from passengers who claim the airline unlawfully denied them full refunds after the disruption.