American cybersecurity firm CrowdStrike has been hit by a class action lawsuit filed by shareholders in Austin, Texas, following the infamous global IT outage on 19 July.
The shareholders have accused the Nasdaq-listed company of defrauding them by failing to disclose risks associated with its software testing methods.
The plaintiffs argue that CrowdStrike made materially false and misleading statements about the reliability of its technology. The consequences of these assertions came to light when a flawed software update triggered widespread disruptions, leading to a 32% drop in the company’s share price over twelve days, wiping out approximately $25 billion in market value.
The severity of the issue intensified when George Kurtz, CEO of CrowdStrike and a named defendant, was summoned to testify before the US Congress.
Shareholders are not the first to engage lawyers
Additionally, the incident heavily impacted Delta Air Lines, prompting the airline to hire prominent lawyer David Boies to seek damages. Delta’s CEO, Ed Bastian, told CNBC that the outage resulted in a financial blow of about $500m due to lost revenue and the cost of compensating and accommodating stranded passengers, alongside the cancellation of over 5,000 flights. Bastian emphasised the necessity of seeking reparations, stating, “We have no choice.”
CrowdStrike issued a statement on the lawsuit, saying: “We believe this case lacks merit and we will vigorously defend the company.”
The lawsuit cites specific statements, such as one from a 5 March conference call in which Kurtz claimed the company’s software was “validated, tested, and certified.” The lead plaintiff, Plymouth County Retirement Association from Massachusetts, is seeking unspecified damages for holders of CrowdStrike Class A shares from 29 November 2023 to 29 July 2024.
The outage was caused by a software update intended to enhance telemetry data collection on new threat techniques, which inadvertently caused the “blue screen of death” on devices running Microsoft Windows. This malfunction affected various sectors, grounding flights, interrupting broadcasts, and disrupting essential services.
Earlier this week, CrowdStrike reported that over 97% of its Windows sensors had been restored since the outage.
On 24 July 2024, CrowdStrike Intelligence uncovered an unattributed spearphishing attempt that delivered a fraudulent CrowdStrike Crash Reporter installer through a website impersonating a German entity, registered just one day after the problematic update was identified and remedied.
The cause of global outage and outrage
CrowdStrike’s post-incident review, published on 24 July, identified the root cause of the 19 July global IT outage. The review pinpointed a content configuration update delivered at 04:09 UTC on 19 July as the source of the problem. This update, part of CrowdStrike’s Rapid Response Content, inadvertently caused an out-of-bounds memory read, resulting in the “blue screen of death” on systems running sensor version 7.11.
CrowdStrike uses two main update mechanisms, Sensor Content and Rapid Response Content. Sensor Content updates are rigorously tested and integrated into structured sensor releases to ensure stability. In contrast, Rapid Response Content, intended for immediate threat responses, is updated dynamically and may not receive the same level of pre-release testing.
The outage was linked to a specific Rapid Response Content Template Instance that included a new IPC Template Type from version 7.11, released on 28 February 2024.