Hindsight is 2025: Lessons Learned Six Months After the CrowdStrike Outage

Executive Summary

In July 2024, a defective software update from cybersecurity firm CrowdStrike led to a global IT outage, disrupting millions of devices across various sectors and causing significant operational and financial losses, notably for Delta Air Lines, which reported over $500 million in losses and has since filed a lawsuit against CrowdStrike.

This post uses that incident to underscore the critical importance of an approach to operational resilience that extends beyond cybersecurity. This is especially timely as the Digital Operational Resilience Act (DORA) is set to be enforced in January 2025, mandating financial entities to establish comprehensive frameworks to manage ICT risks.

The convergence of non-security incidents and cyber threats highlights the necessity for organizations to fortify all facets of operational integrity to safeguard against both inherent system flaws and external threats.

Understanding the full impact of a system outage often requires months, if not years, of analysis. As we approach January 19, 2025, marking six months since the CrowdStrike outage, a clearer picture has emerged.

On July 19, 2024, cybersecurity firm CrowdStrike released a faulty software update that inadvertently caused a global IT outage. This incident was particularly notable because, despite CrowdStrike's role as a security vendor, the outage was not due to a cyberattack but resulted from a quality assurance and testing failure that allowed defective software to be deployed.

The immediate repercussions were widespread:

• Operational Disruptions: Approximately 8.5 million Windows devices were affected, leading to significant disruptions across various sectors, including airlines, banks, hospitals, and media outlets.

MarketWatch

• Financial Impact: Delta Air Lines reported over 7,000 flight cancellations, estimating losses exceeding $500 million due to the outage.

Wikipedia

Often, the most costly and devastating consequences of a very public outage isare not felt until long after operations have been restored.

CrowdStrike is facing several lawsuits (more may follow):

• Delta Air Lines Lawsuit: Delta filed a lawsuit against CrowdStrike, seeking compensation for the substantial losses incurred during the outage.

AP News

• Shareholder Class-Action Lawsuit: Shareholders initiated a class-action lawsuit, alleging that CrowdStrike's negligence led to a decline in stock value following the incident.

Class Action

Client liability spreads the pain and amplifies reputational damage and future revenue.

• Delta Air Lines Passenger Lawsuit: Passengers affected by flight cancellations have filed a class-action lawsuit against Delta, claiming inadequate assistance and seeking damages.

Wikipedia

Although the initial incident was not a cyberattack, it created vulnerabilities that malicious actors quickly exploited. This connection between initial non-security-related outages and subsequent cyber-attacks cannot be overstated. Bad actors are always poised to capitalize on unplanned outages and disruptions – regardless as to their root cause. The CrowdStrike incident was no exception:

• Phishing Scams: Attackers impersonated CrowdStrike support, sending fraudulent communications to deceive users into downloading malware or divulging sensitive information.

CyberNews

• Malware Distribution: Malicious entities distributed fake "fixes" for the outage, which contained harmful software designed to compromise systems further.

CyberNews

The imminent enforcement of the Digital Operational Resilience Act (DORA) on January 17, 2025, (almost 6 months to the day of the CrowdStrike outage) underscores the critical importance of operational resilience in the financial sector – and across the common services they (and we) all rely upon. DORA mandates that financial entities establish robust frameworks to manage Information and Communication Technology (ICT) risks, recognizing that non-security defects can be as detrimental as malicious cyberattacks.

The CrowdStrike incident exemplified how operational failures, even in the absence of a direct cyberattack, can create vulnerabilities that opportunistic bad actors exploit. This convergence of non-security incidents and cyber threats highlights the necessity for comprehensive resilience strategies. DORA's implementation is timely, emphasizing that all facets of operational integrity must be fortified to safeguard against both inherent system flaws and external threats.

As financial entities prepare for DORA's requirements, the lessons from the CrowdStrike outage serve as a compelling reminder of the intertwined nature of operational and cybersecurity risks. Ensuring resilience against such multifaceted threats is not just a regulatory obligation but a fundamental component of maintaining trust and stability in the digital financial ecosystem.

The legal and reputational damages caused by a system failures continue to unfold months and often years after the event itself – governments are still weighing their options regarding CrowdStrike at the time of this writing.

Broad service providers put themselves and their customers at risk – not just operationally, but also legally and reputationally.

Outages stemming from non-security issues can be both damaging on their own as well as introducing significant cyber threats.

The ensuing chaos provides fertile ground for bad actors to exploit newly exposed vulnerabilities, emphasizing the universal need for comprehensive risk management strategies that encompass both security and operational resilience across every industry.