CrowdStrike Outage Spurs Legal Actions and Claims
Companies Seek Compensation From CrowdStrike and Microsoft for Financial LossesJuly 19, 2024, will be remembered for a major black swan event as a buggy update to an endpoint detection and response solution from security vendor CrowdStrike affected 8.5 million Windows systems worldwide. Some companies that faced huge losses due to the outage are seeking compensation from CrowdStrike and Microsoft and are also considering lawsuits.
See Also: OnDemand | AI-Driven Endpoint Security: Adapting to Industry Changes
A report by Parametrix, the leading provider of cloud monitoring, modeling and insurance services, showed that Fortune 500 companies, excluding Microsoft, will likely incur financial losses to the tune of $5.4 billion due to the CrowdStrike outage.
Prominent businesses, including Delta Air Lines, have struggled to recover completely, said Jon Amato, senior director analyst at Gartner. "While we don't have a good root cause on why this is the case, one credible theory I've noticed is that the global nature of Delta's business makes it difficult to physically access all of the machines that are affected worldwide," he said.
CNBC reported that Delta has received more than 176,000 refund requests from passengers who were either stranded, had their flights canceled or lost their baggage in the chaos. This does not include the reputational damage that the airline suffered. The airline has hired litigator David Boyce from the law firm Boyce PLC to seek damages incurred due to the Microsoft and CrowdStrike software outage. CNBC estimates that the outage has cost Delta between $350 and $500 million.
Tony Fernandes, CEO of low-cost carrier AirAsia, has publicly demanded a full refund from Microsoft for the significant losses incurred due to the global IT outage. This move has sparked a wider conversation about accountability and compensation in the case of such large-scale IT failures.
The Aftermath
Recent reports state that most businesses have now resumed operations. Sevco Security's analysis showed that 93% of CrowdStrike services were restored by 6 a.m. U.S. Eastern Time on July 22. Many CISOs and security teams use Sevco's patented asset inventory to actively manage endpoint agent deployments and vulnerabilities, and about 60% of Sevco's customers use CrowdStrike's cybersecurity services. CrowdStrike later reported that 97% of Windows systems were back online as of July 24 at 5 p.m. Pacific Time.
"The recovery process provided by CrowdStrike is straightforward and clearly documented, and [the fix] seems to be 100% effective if the documented process is followed," Amato said.
Applying the fix, Amato said, is time-consuming, requires following technical instructions, and cannot be automated. System administrators need administrative credentials and decryption keys [for BitLocker disk encryption] to carry out the fix. "The challenge is to deploy the fix at an unprecedented scale," he said.
This is not the first time an IT outage has had such a widespread disruption. In 2010, a similar incident occurred with antivirus vendor McAfee, causing millions of Windows systems to crash worldwide.
In a Gartner webinar conducted on July 25, analysts performed a post-incident analysis. One of the first things we need to do is "restore normalcy in business operations" and effectively use communication channels, said Eric Grenier, director analyst at Gartner. He warned that adversaries are exploiting the situation with fake remediation websites and unsolicited phone calls offering help. Phishing scams and emails are increasing as well (see: Cybercrooks Continue to Capitalize on CrowdStrike Outage).
CYFIRMA's new report provided a detailed analysis of the tactics, techniques and procedures used by threat actors exploiting this situation. CYFIRMA researchers said they are actively monitoring the ongoing fallout from the CrowdStrike blue screen of death incident. In this updated analysis, malicious domains and hashes linked to phishing campaigns are explored, thus identifying several types of malware being deployed, including Remcos RAT, wiper malware and other commodity malware.
To prevent breaches in the future, Franz Hinner, senior director analyst at Gartner, recommended thorough systems checks and reviews. "We need to set up comprehensive security reviews. We should also review our security posture and process flows," he said. "It is also important to work with counterparts and document everything."
CIOs are expected to review the quality assurance and testing processes with other vendors moving forward. Regulators may scrutinize how these tests are being conducted by vendors and may require organizations to explain their business continuity plans. CIOs are more concerned about how they would handle similar events in the future.
CIOs Emphasize Robust BCP
After the incident, Leigh McMullen, distinguished vice president, analyst at Gartner, spoke to CIOs who are Gartner customers. He said CIOs are unsure if they have adequate recovery plans for a widespread outage beyond their control. "We have to figure out new mechanisms to deal with such events. Black swan events cannot be predicted, but we can anticipate the implications or consequences of such events as they are finite and understandable," McMullen said.
Incidents like these test an organization's BCP. "Test is actual reality in action. I am very happy to see that companies have set live examples of working BCP plans, which actually worked," said Meheriar Patel, group CIO of digital solutions at Jeena & Company. Jeena & Company provides freight forwarding and supply chain solutions.
Concurring with McMullen's words, Patel said that businesses now understand that incidents like these can occur. "Even the most robust IT setup can be compromised and business can be affected. Strengthen your BCP plan so it is more refined and available to execute when the time comes. The more we rely on technology, the more prepared we have to be," Patel said.
CIOs also advised reviewing IT architectures rather than replacing vendors when such incidents occur. "The best any company can do is review vendor relationships and check their network architecture for single points of failure," said Dick Wilkinson, chief technology officer at Proof Labs. Proof Labs delivers cybersecurity solutions to help protect critical military, aerospace, satellite and national defense assets.
Call for Improved Communication
Other industry experts underscored the need to improve communication and share information. As news spreads quickly through social media and news channels, it can significantly damage companies' reputations and impact their market capital value. It is important to have "clear and consistent communication" with all stakeholders to minimize their anxiety, according to Milind Khamkar, group CIO at Supermax, an Indian men's grooming and personal care company.
Edmund Situmorang, chief technology officer and head of artificial intelligence at Trans Meta Teknologi, suggested a closed-loop reporting system at the national level. Companies should be responsible for reporting incidents to the government to support a rapid response system. "I have suggested a blackbox reporting system, a sort of 'hush-hush' reporting, to the Indonesian government," he said. Trans Meta Teknologi is an Indonesian firm that guides companies in identifying areas where AI can significantly influence their business goals.
"If no one reports, several organizations will be impacted in the absence of a rapid response system, leading to a national or global catastrophe - as we just saw with the CrowdStrike outage," Situmorang said.