One year after travel meltdown, Delta-CrowdStrike dispute far from over

Stranded travelers went gate to gate trying to get on flights. Customer service lines stretched down concourses into the night, and some passengers slept on floors overnight. Luggage separated from its owners piled up in baggage claims.

But although most other airlines had their systems rebooted after a few hours and their operations returned to normal after the weekend, for Delta it cascaded into catastrophe. Its crew tracking system in particular was crippled.

An estimated 7,000 Delta flights were canceled in five days, affecting more than 1 million customers. United Airlines, by contrast, canceled about 1,500.

Atlanta-based Delta estimates those few days cost it more than $500 million.

Delta CEO Ed Bastian told CNBC the company had to manually touch and reboot 40,000 servers to recover, and was hit hardest because it was “by far” more dependent on CrowdStrike and Microsoft than its competitors. CrowdStrike has disputed that.

The airline says it has made “significant” changes to its information technology systems to ensure such a debacle never happens again. But it also insists CrowdStrike is liable for its losses.

The issue will be decided in Fulton County Superior Court, where Delta sued CrowdStrike.

And although CrowdStrike’s president accepted a “Most Epic Fail” award at a hacking conference for the debacle, the company isn’t taking the suit lying down.

It countersued — and now says it intends to prove the reason the hit to Delta was so bad is because of Delta’s own faulty systems.

“We believe Delta vastly underinvested in its critical infrastructure,” CrowdStrike’s attorney Michael Carlinsky told The Atlanta Journal-Constitution.

“Did we have a problem that brought down the system? Yes. We own that. But are the damages that they have suffered our responsibility? We say no.”

Delta is the only CrowdStrike customer to sue for damages.

Bastian told the AJC that CrowdStrike’s claims are “100% false.”

In a statement, Delta said it continues to be “confident in the merits of our case.”

“CrowdStrike has repeatedly conceded it failed to adhere to even basic industry-standard practices for IT updates. … If CrowdStrike had tested this on even a single computer, that computer would have crashed.”

A judge recently allowed much of Delta’s case to proceed, and a long legal road is ahead: the companies have until next fall to complete discovery.

‘Trapped and lost at the same time’

For travelers caught in the meltdown last summer, the experience left a mark, regardless of who is to blame.

Ann Brumbaugh was stuck in the Seattle airport overnight with her 82-year-old mother and diabetic daughter.

After their flight was canceled, the DeKalb County resident was able to get priority for her daughter to fly out the next day. However, it would take another night in a hotel before she and her mother could get home.

“It was just this constant chaos,” she said. “It was just this feeling of being trapped and lost at the same time. … You can’t get out, and you’ve got 10 or 15,000 other people who are in the exact same position.”

Brumbaugh received expense reimbursement and 40,000 SkyMiles, but after flying the airline for 25 years, she says what she experienced was “not the Delta I knew.”

Hartsfield-Jackson Atlanta International Airport employees called in to help manage the chaos also have memories from the weekend, Assistant General Manager Jordan Biegler said.

One example: When airlines weren’t able to access their check-in systems but were still allowing limited flights out, employees had to physically group people by flight waiting in the terminal.

They wrote flight numbers on paper and attached them to poles.

“Now we have a whiteboard version of that, that we can deploy if we need, to just make it a little more organized,” Biegler said.

Another traveler, Kim Kruzel, was stuck in Hawaii for days after her Delta flight was canceled, forcing her to spend hundreds more dollars for lodging.

She said she was denied her claim for reimbursement after getting home to Southern California. “They weren’t really trying to help at all,” she recalled.

Credit: TNS

Credit: TNS

Chrystal York of Locust Grove, who scotched a trip on another airline during the outage, said if Delta and CrowdStrike are still “in a finger-pointing stage … that means that we are still at risk of this happening again.”

The U.S. Department of Transportation last year announced an investigation into Delta, but did not respond to inquiries about its status.

A class action passenger lawsuit against Delta also remains outstanding.

One of the lead lawyers, Adam Webb, said Delta’s reimbursement efforts were “good talk, but not backed up by the real walk.”

“They made commitments to pay these losses, and then what we’ve seen from various people is that the losses were not reimbursed,” he said.

The company said at the time that customers with disrupted travel could receive automatic refunds for remaining flights as well as bag and seat fees, and it promised to reimburse customers for “reasonable costs” and “unplanned, out-of-pocket expenses.”

Delta also offered its own employees free travel passes as a thank you.

Flight reimbursements and crew-related costs totaled $170 million, and expense refunds in cash and SkyMiles totaled $380 million, the company says.

Credit: John Spink

Credit: John Spink

Who owns the disaster

“Delta files this lawsuit to hold CrowdStrike to its word: CrowdStrike must ‘own’ the disaster it created,” the airline’s legal complaint reads.

The company “failed to exercise even the slightest diligence and care,” Delta argues.

CrowdStrike has countered with sharp allegations of its own.

The firm’s attorneys intend to highlight management failures and a pattern of underinvestment in Delta’s systems, ranging from airplane maintenance to IT.

“It’s kind of like when the tide goes out and you see everything that’s left on the beach,” CrowdStrike lawyer Carlinsky said of the lawsuit.

“The tide is going to go out here, and at the end of this process … all of their deficiencies, all of their failures, all of the board’s failures and all of Bastian’s management failures are going to be laid bare.”

Microsoft, which Delta had initially threatened to sue as well, also pointed the finger at the airline last year: “Our preliminary review suggests that Delta, unlike its competitors, apparently has not modernized its IT infrastructure, either for the benefit of its customers or for its pilots and flight attendants,” Microsoft attorney Mark Cheffo wrote.

Delta’s own pilot and dispatcher unions recently took aim at the same crew scheduling system so crippled by the outage.

The pilots union argued the 1980s-era system hasn’t seen timely upgrades, leaving it vulnerable during severe weather.

Credit: John Spink

Credit: John Spink

One year later

In a 2024 Bloomberg interview, Bastian said the company has “learned a lot” since the incident. “We thought we were surrounded by the very best that you can protect yourself with.”

“We realized that you can’t take these guys anywhere close to face value in terms of what they tell you you’re responsible for,” he said.

He went on to say Delta has upgraded its “technology security infrastructure to prevent that from ever happening again.”

Notably, it has not seen another massive outage since.

One thing is for sure: Delta is no longer working with CrowdStrike, Bastian confirmed to the AJC.

Hartsfield-Jackson, meanwhile, has also learned from the debacle. The airport has added more training so security staff can help passengers in emergencies.

It’s also accelerating plans for a larger emergency operations center to be better prepared for situations like CrowdStrike — instead of having to rely on text threads in the early moments of a crisis.

Although the meltdown prompted questions about the effect to Delta’s brand, the airline continued to rack up industry accolades last year, including for on-time performance.

After the incident, Henry Harteveldt, an airline industry analyst and president of Atmosphere Research Group, told the AJC the outage had “done terrible damage to Delta’s brand, especially its reputation for being reliable and punctual.”

In a follow-up interview this week, Harteveldt said “CrowdStrike definitely put a dent in the Delta brand, but the airline got itself back on its feet.”

Still, whether it’s Delta or any company reliant on technology, he said, the event is a reminder how even a small mistake “can bring the world to its knees.”

Editor’s note: This story was corrected to reflect CrowdStrike’s president accepted the “Most Epic Fail” award at a hacking conference and to add that the firm disputes Delta’s explanation of why it was hit hardest by the outage.