Wow:
CrowdStrike says it is "highly disappointed" and rejects the claims made by Delta and its lawyers that the vendor exhibited gross negligence in the events that led to the global IT outage a little over two weeks ago.
That's according to a letter, seen by The Reg and sent to David Boies, partner at the law firm Delta hired to investigate the airline's legal options after it struggled more than most to bring its systems back online, leading to a sprawling list of flight cancellations.
The Falcon vendor reiterated its apology to Delta and the wider customer base. It then went on to remind Boies, known for his work as special counsel during the 1990s US antitrust trial against Microsoft, that it had been proactive in reaching out to Delta, offering support to the airline "within hours" of the incident unfolding.
...
CrowdStrike's lawyer, Michael B. Carlinsky, then poked the bear further. He said that among other things, in this hypothetical trial Delta would also need to explain why it took so much longer than competitors to recover from the same issue, why it refused the free on-site help CrowdStrike offered – the support that led to faster recovery times than Delta's, and the operational resiliency of its IT infrastructure.
This is hands down the biggest screw up - ever - by any security vendor. I guess that a screw up this big is a potential extinction-level event for Crowdstrike but this sure doesn't sound like it will calm down their customer base. OK, so they offered some help when they took down Delta, and Delta didn't jump on this. That sounds like it's 1% on Delta and 99% on Crowdstrike.
But that's not what's going on here - it's explicitly telling a customer that they will drag them through the mud if the customer sues them for their monumental screw up.
Holy moley.
3 comments:
Crowdstrike missed an opportunity to negotiate down from $500 million.
Back when NMCI rolled out and we got screwed by an update my colleague just killed his computer at the power strip every night before leaving. It didn't prevent the routine update workstoppages but he felt better about it.
As a matter of contract law, what Crowdstrike seems to be arguing would NOT make them not liable, but might, repeat might, partially mitigate the damages.
Seem like it will be a very fact-heavy argument whether or not Crowdstrike's after-the-fact offer of help would be thought to be helpful, by a reasonable person.
Since Crowdstrike caused the initial problem, a reasonable person might be skeptical that their continued involvement would be helpful in resolving it.
Post a Comment