`
`UNITED STATES DISTRICT COURT
`WESTERN DISTRICT OF TEXAS
`AUSTIN DIVISION
`
`
`JULIO DEL RIO, JACK MURPHY, and
`STEVEN BIXBY, individually and on behalf
`of all others similarly situated,
`
`
`
`Plaintiffs,
`
`
`v.
`
`CROWDSTRIKE, INC.,
`
`
`
`
`
`
`Defendant.
`
`
`
`Case No. 1:24-cv-00881
`
`CLASS ACTION
`
`JURY TRIAL DEMANDED
`
`
`
`
`Plaintiffs Julio del Rio, Jack Murphy, and Steven Bixby (collectively, “Plaintiffs”),
`
`individually and on behalf of all others similarly situated (collectively, “Class members”), by and
`
`through the undersigned attorneys, bring this Class Action Complaint against Defendant
`
`CrowdStrike, Inc. (“Defendant” or “CrowdStrike”), and complain and allege upon personal
`
`knowledge as to themselves and information and belief as to all other matters as follows.
`
`INTRODUCTION
`
`1.
`
`CrowdStrike is a cybersecurity firm that offers commercial data protection and
`
`cybersecurity services and products intended to keep computers safe from cyberattacks and
`
`malware, including its Falcon platform (“Falcon”).
`
`2.
`
`On July 19, 2024, CrowdStrike released a security software update for its Falcon
`
`platform. Rolling out this update should have been a routine process without any noticeable impact
`
`on CrowdStrike’s customers’ information technology (“IT”) systems. Instead, shortly after the
`
`release of the update “a global tech disaster was underway.”1
`
`
`1 Tom Warren, Inside the 78 minutes that took down millions of Windows machines, THE VERGE
`(July 23, 2024 10:40 AM), https://www.theverge.com/2024/7/23/24204196/crowdstrike-
`windows-bsod-faulty-update-microsoft-responses.
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 2 of 27
`
`3.
`
`Due to CrowdStrike’s negligent conduct, the software update contained one or
`
`more serious bugs2 or errors that caused millions of computers around the world to repeatedly
`
`crash and become inoperable (the “CrowdStrike Outage”).
`
`4.
`
`The consequences of CrowdStrike’s flawed update were catastrophic. In total, over
`
`8,500,000 devices went offline due to the CrowdStrike update.3 CrowdStrike’s carelessness caused
`
`one of the largest global IT system outages in history.4
`
`5.
`
`CrowdStrike’s Falcon platform is used by many of the world’s largest companies
`
`across a range of industries, including the aviation industry. The CrowdStrike Outage disrupted
`
`airline and airport IT systems, causing a cascade of flight delays and cancellations as airlines
`
`struggled to operate with their computer systems offline.5
`
`6.
`
`CrowdStrike’s flawed update not only interfered with airlines—it also severely
`
`interrupted the lives of the millions of people traveling in the days immediately following the
`
`CrowdStrike Outage. The CrowdStrike Outage grounded thousands of flights and delayed
`
`
`2 “A software bug is a problem causing a program to crash or produce invalid output. The
`problem is caused by insufficient or erroneous logic. A bug can be an error, mistake, defect or
`fault, which may cause failure or deviation from expected results.” Margaret Rouse, Software
`Bug, TECHOPEDIA (June 20, 2024), https://www.techopedia.com/definition/24864/software-bug.
`3 E.g., CIO Staff & Francisca Dominguez Zubicoa, Delta Airlines to ‘rethink Microsoft’ in wake
`of CrowdStrike outage, CIO (Aug. 1, 2024), https://www.cio.com/article/3480378/delta-airlines-
`to-rethink-microsoft-in-wake-of-crowdstrike-outage.html.
`4 See The Consequences Of The CrowdStrike Update, NPR (July 31, 2024 6:18 PM),
`https://www.npr.org/2024/07/31/1198912548/1a-07-31-
`2024#:~:text=The%20Consequences%20Of%20The%20CrowdStrike%20Update%20%3A%201
`A%20It's%20been%20called,to%20broadcast%20news%20to%20hospitals.
`5 See Aarian Marshall, Why the Global CrowdStrike Outage Hit Airports So Hard, WIRED (July
`19, 2024 5:00 PM), https://www.wired.com/story/crowdstrike-windows-outage-airport-travel-
`delays/.
`
`2
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 3 of 27
`
`thousands more, often stranding travelers in airports thousands of miles away from their intended
`
`destination for hours—and even days. 6
`
`7.
`
`But lengthy delays were not the only consequence of the outage for travelers. Faced
`
`with increasingly long delays and mounting flight cancellations, many travelers had no option but
`
`to spend hundreds of dollars or more on additional meals, lodging, or other travel arrangements as
`
`they desperately sought a way to their destination.
`
`8.
`
`CrowdStrike’s failure to properly develop, test, and deploy the Falcon update
`
`caused the CrowdStrike Outage and delayed or cancelled Plaintiffs’ and Class members’ flights.
`
`These delays and cancellations in turn forced Plaintiffs and Class members to incur additional
`
`expenses and damages. This action seeks to remedy these consequences of CrowdStrike’s
`
`negligence. Plaintiffs bring this action on behalf of themselves and all persons who had a flight
`
`delayed or cancelled as a result of the CrowdStrike Outage.
`
`9.
`
`Plaintiffs, on behalf of themselves and all other Class members, assert claims for
`
`negligence, violation of the California Unfair Competition Law, and public nuisance, and seek
`
`declaratory relief, injunctive relief, monetary damages, statutory damages, punitive damages,
`
`equitable relief, and all other relief authorized by law.
`
`PARTIES
`
`Plaintiff Julio del Rio
`
`10.
`
`Plaintiff Julio del Rio is a citizen of California.
`
`
`6 E.g., Shayla Reaves & Athony Bettin, Days after CrowdStrike outage, North Carolina woman
`still stuck at MSP Airport, CBS NEWS (July 22, 2024 7:55 AM),
`https://www.cbsnews.com/minnesota/news/north-carolina-woman-stuck-at-msp-airport-after-
`crowdstrike-outage/.
`
`3
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 4 of 27
`
`11.
`
`Plaintiff del Rio and his spouse had purchased tickets for a July 19, 2024 direct
`
`flight from Hawaii’s Kona International Airport (“KOA”) to Los Angeles International Airport for
`
`approximately $800.
`
`12.
`
`The CrowdStrike Outage affected the IT system of the airline Plaintiff del Rio
`
`planned to travel on, which caused Plaintiff del Rio’s flight to be delayed multiple times, before
`
`ultimately being canceled. Plaintiff del Rio was forced to spend time and effort attempting to
`
`arrange an alternative later flight to Los Angeles.
`
`13.
`
`The chaos caused by the CrowdStrike Outage meant Plaintiff del Rio was not able
`
`to book another direct flight from KOA to Los Angeles International Airport on the same airline.
`
`Instead, Plaintiff del Rio was forced to purchase tickets for a different airline’s flight to San
`
`Francisco, California. Plaintiff del Rio paid approximately $1,200 out-of-pocket for these tickets.
`
`He has not received a reimbursement or refund of the cost of his tickets on the original, canceled
`
`flight.
`
`14.
`
`Plaintiff del Rio’s flight to San Francisco was scheduled to leave on July 20, 2024,
`
`the day after his original flight would have left but for the CrowdStrike Outage. As a result,
`
`Plaintiff del Rio was stranded at KOA for an additional 11 hours overnight.
`
`15.
`
`Stranded overnight at the airport due to the CrowdStrike Outage, Plaintiff del Rio
`
`had no other options but to sleep on benches or the floor during the 11-hour delay. As a result,
`
`Plaintiff del Rio developed pain in his neck and back which lasted for several days.
`
`16.
`
`The CrowdStrike Outage was still causing massive flight delays and cancellations
`
`when Plaintiff del Rio arrived in San Francisco. As a result, Plaintiff del Rio could not get a flight
`
`from San Francisco to Los Angeles. Instead, he had to purchase tickets on yet another flight, this
`
`time from San Jose, California, to Burbank, California.
`
`4
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 5 of 27
`
`17.
`
`Plaintiff del Rio had no way to reach the San Jose airport for his next flight other
`
`than to pay for an Uber, which cost him approximately $80. Once Plaintiff del Rio arrived at the
`
`Burbank airport, he again had to pay for an Uber to take him home, which cost approximately $80.
`
`18.
`
`Because the CrowdStrike Outage caused such extensive flight delays and
`
`cancellations, Plaintiff del Rio did not arrive home until approximately 11:00 PM PST on July 20,
`
`2024, approximately 17 hours after he was originally scheduled to return. As a result of the nearly
`
`17 extra hours of travel, Plaintiff del Rio was forced to use his accrued paid time off to miss an
`
`additional day of work
`
`Plaintiff Jack Murphy
`
`19.
`
`20.
`
`Plaintiff Jack Murphy is a citizen of Ohio.
`
`On July 19, 2024, Plaintiff Murphy planned to fly from Columbia, South Carolina
`
`to Atlanta, Georgia, and from Atlanta to Cleveland, Ohio.
`
`21.
`
`The CrowdStrike Outage affected the IT system of the airline Plaintiff Murphy
`
`planned to travel on. As a result, Plaintiff Murphy’s flight from Columbia to Atlanta was delayed
`
`for several hours, before ultimately being canceled. Plaintiff Murphy was forced to spend time and
`
`effort arranging an alternative later flight from Columbia to Atlanta.
`
`22.
`
`Due to the CrowdStrike Outage, Plaintiff Murphy’s flight from Atlanta to
`
`Cleveland was also significantly delayed, stranding Plaintiff Murphy in the Atlanta airport for
`
`approximately nine hours. During the delay, he spent additional time and effort attempting to
`
`arrange an alternate flight to Cleveland, including waiting in a line to speak with airline personnel
`
`for nearly three and a half hours before Plaintiff Murphy was able to book a different flight to
`
`Cleveland.
`
`5
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 6 of 27
`
`23.
`
`Due to the CrowdStrike Outage, Plaintiff Murphy did not arrive in Cleveland until
`
`approximately 2:30 AM CDT on July 20, 2024. Due to the late hour, Plaintiff Murphy could not
`
`hire an Uber to drive him from the Cleveland airport to his home. As a result, Plaintiff Murphy’s
`
`wife was forced to drive to the airport to pick up Plaintiff Murphy, a trip of approximately 45
`
`minutes each way. This drive to and from the airport, which would not have been necessary had
`
`the CrowdStrike Outage not grounded flights, used gas that Plaintiff Murphy would not have
`
`otherwise used and added additional wear to Plaintiff Murphy’s vehicle.
`
`24.
`
`Plaintiff Murphy did not arrive home until approximately 3:30 AM, which severely
`
`interrupted Plaintiff Murphy’s normal sleep schedule. The disruption to Plaintiff Murphy’s sleep
`
`schedule caused him to suffer a migraine during the day of July 20, 2024. Plaintiff Murphy
`
`experienced dizziness, pains in his head, sensitivity to light, and nausea due to the migraine.
`
`Plaintiff Steven Bixby
`
`25.
`
`26.
`
`Plaintiff Steven Bixby is a citizen of Pennsylvania.
`
`On July 19, 2024, Plaintiff Bixby planned to fly from Harrisburg, Pennsylvania to
`
`O’Hare International Airport in Chicago, Illinois (“O’Hare”), and from O’Hare to Fort Worth,
`
`Texas.
`
`27.
`
`The CrowdStrike Outage affected the IT system of the airline Plaintiff Bixby
`
`planned to travel on. As a result, Plaintiff Bixby’s flight from Harrisburg to O’Hare was delayed
`
`approximately three hours. Plaintiff Bixby’s flight from O’Hare to Fort Worth was similarly
`
`delayed for approximately four hours as a result of the CrowdStrike Outage.
`
`28.
`
`Plaintiff Bixby’s trip from Harrisburg to Fort Worth was scheduled to take
`
`approximately eight hours. But because the CrowdStrike Outage delayed his flights, his trip instead
`
`took approximately 17.5 hours—over nine hours longer than it otherwise would have.
`
`6
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 7 of 27
`
`29.
`
`Because the CrowdStrike Outage affected the IT system of the airline Plaintiff
`
`Bixby travelled on, Plaintiff Bixby’s luggage was delayed and did not arrive in Fort Worth until
`
`several hours after Plaintiff Bixby. Plaintiff Bixby had to return to the airport to retrieve his
`
`luggage when it finally arrived at approximately 2:00 AM CDT on July 20, 2024.
`
`Defendant CrowdStrike, Inc.
`
`30.
`
`Defendant CrowdStrike, Inc., is a Delaware corporation with its principal place of
`
`business located at 206 E. 9th Street, Suite 1400, Austin, TX 78701. It may be served through its
`
`registered agent: Corporation Service Company, 211 E. 7th Street, Suite 620, Austin, TX 78701.
`
`JURISDICTION AND VENUE
`
`31.
`
`The Court has subject matter jurisdiction over Plaintiffs’ claims under 28 U.S.C. §
`
`1332(d)(2), because (a) there are 100 or more Class members, (b) at least one Class member is a
`
`citizen of a state that is diverse from Defendant’s citizenship, and (c) the matter in controversy
`
`exceeds $5,000,000, exclusive of interest and costs.
`
`32.
`
`This Court has general personal jurisdiction over Defendant CrowdStrike, Inc.,
`
`because it maintains its principal place of business in this State, regularly conducts business in this
`
`State, and has sufficient minimum contacts in this State.
`
`33.
`
`Venue is proper in this Court pursuant to 28 U.S.C. § 1391(b) because Defendant’s
`
`principal places of business are in this District and a substantial part of the events, acts, and
`
`omissions giving rise to Plaintiffs’ claims occurred in this District.
`
`7
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 8 of 27
`
`FACTUAL ALLEGATIONS
`
`Overview of CrowdStrike
`
`34.
`
`Founded in 2011, CrowdStrike’s products are “tailored for large [organizations] in
`
`which CrowdStrike’s tools help them monitor their networks for signs of attack, and provide them
`
`with the information they need to respond to intrusions in a timely way.”7
`
`35.
`
`CrowdStrike “is among the most popular cybersecurity providers in the world, with
`
`close to 30,000 subscribers globally.”8 Among CrowdStrike’s customers are 298 Fortune 500
`
`companies, including financial service firms, healthcare providers, technology firms, and food and
`
`beverage companies, among others.9 Also amongst its customers are major airlines, including
`
`American Airlines, Delta, and United.10 These “are huge companies that collectively have
`
`hundreds of millions of Windows PCs and systems.”11
`
`36.
`
`CrowdStrike’s “primary technology is the Falcon platform, which helps protect
`
`systems against potential threats in a bid to minimize cybersecurity risks.”12 Falcon is a security
`
`
`7 Toby Murray, What is CrowdStrike Falcon and what does it do? Is my computer safe?, THE
`CONVERSATION (July 19, 2024 6:20 AM), https://theconversation.com/what-is-crowdstrike-
`falcon-and-what-does-it-do-is-my-computer-safe-
`235123#:~:text=CrowdStrike%20is%20a%20US%20cyber,response%E2%80%9D%20(EDR)%
`20software.
`8 Martin Coulter, CrowdStrike chaos could prompt rethink among investors, customers, REUTERS
`(July 19, 2024 5:52 PM), https://www.reuters.com/technology/cybersecurity/crowdstrike-chaos-
`could-prompt-rethink-among-investors-customers-2024-07-
`19/#:~:text=CrowdStrike%20%2D%20which%20previously%20reached%20a,its%20growth%2
`0and%20high%20margin.
`9 We stop breaches, CROWDSTRIKE, https://www.crowdstrike.com/platform/ (last accessed Aug.
`5, 2024).
`10 Kim Komando, The real reason CrowdStrike brought companies to their knees, KOMANDO
`(July 20, 2024), https://www.komando.com/news/the-real-reason-crowdstrike-brought-
`companies-to-their-knees/.
`11 Id. (emphasis in original).
`12 Sean Michael Kerner, CrowdStrike outage explained: What caused it and what’s next,
`TECHTARGET (July 25, 2024), https://www.techtarget.com/whatis/feature/Explaining-the-largest-
`IT-outage-in-history-and-whats-next.
`
`8
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 9 of 27
`
`software product that, once installed on a computer, helps prevent cyberattacks and malware.13
`
`Falcon is “purpose-built to stop breaches via a unified set of cloud-delivered technologies that
`
`prevent all types of attacks — including malware and much more.”14
`
`37.
`
`CrowdStrike offers its software products, including those responsible for or
`
`involved in the CrowdStrike Outage, on a subscription basis to its customer. CrowdStrike licenses
`
`the use of the software, but at all times retains ownership of the software.15
`
`The CrowdStrike Outage
`
`38.
`
`On or about Friday, July 19, 2024, “as part of regular operations, CrowdStrike
`
`released a [Falcon] content configuration update for the Windows sensor to gather telemetry on
`
`possible novel threat techniques.”16 Updates of this type “are a normal part of the [Falcon] sensor’s
`
`operation and occur several times a day in response to novel tactics, techniques, and procedures
`
`discovered by CrowdStrike.”17 CrowdStrike claims “[t]his is not a new process; the architecture
`
`has been in place since Falcon’s inception.”18
`
`39. With that update, CrowdStrike “introduced a logic error” which caused the Falcon
`
`sensor to crash and, as a result, crashed the Windows systems itself.19 The crashes were caused by
`
`
`
`13 Murray, supra note 7.
`14 What is CrowdStrike? Falcon platform FAQ, CROWDSTRIKE,
`https://www.crowdstrike.com/products/faq/ (last accessed Aug. 5, 2024).
`15 E.g., CrowdStrike Terms and Conditions, CROWDSTRIKE, https://www.crowdstrike.com/terms-
`conditions/ (last accessed Aug. 5, 2024); CrowdStrike Software Terms of Use, CROWDSTRIKE,
`https://www.crowdstrike.com/software-terms-of-use/ (last accessed Aug. 5, 2024).
`16 Preliminary Post Incident Review (PIR): Content Configuration Update Impacting the Falcon
`Sensor and the Windows Operating System (BSOD), CrowdStrike (July 24, 2024),
`https://www.crowdstrike.com/blog/falcon-content-update-preliminary-post-incident-report/.
`17 Technical Details: Falcon Content Update for Windows Hosts, CROWDSTRIKE (July 20, 2024),
`https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/.
`18 Id.
`19 Kerner, supra note 12.
`
`9
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 10 of 27
`
`“a defect in the Rapid Response Content, which went undetected during validation checks.”20 The
`
`July 19 update supposedly “passed validation despite containing problematic content data.”21
`
`CrowdStrike did not subject the update to additional testing or verifications before publishing it.22
`
`40.
`
`Once a Windows computer received the update, “problematic content in [the
`
`update] resulted in an out-of-bounds memory read triggering an exception. This unexpected
`
`exception could not be gracefully handled, resulting in a Windows operating system crash.”23
`
`41. Windows computers that received the Falcon update were forced into a “recovery
`
`boot loop,” meaning the computers could not start and operate properly.24 The computers displayed
`
`a “blue screen of death,” which indicates a “stop error . . . a critical error that has caused the
`
`Windows operating system to crash.”25
`
`42.
`
`CrowdStrike’s channel file updates, such as the update that caused the CrowdStrike
`
`Outage, “were pushed to computers regardless of any settings meant to prevent such automatic
`
`updates.”26
`
`
`20 Preliminary Post Incident Review Executive Summary, CROWDSTRIKE,
`https://www.crowdstrike.com/wp-content/uploads/2024/07/CrowdStrike-PIR-Executive-
`Summary.pdf (last accessed Aug. 5, 2024).
`21 Id.
`22 Bill Toulas, CrowdStrike: ‘Content Validator’ bug let faulty update pass checks, BLEEPING
`COMPUTER (July 24, 2024 10:16 AM),
`https://www.bleepingcomputer.com/news/security/crowdstrike-content-validator-bug-let-faulty-
`update-pass-checks/.
`23 Preliminary Post Incident Review (PIR), supra note 16.
`24 Tom Warren, Major Windows BSOD issue hits banks, airlines, and TV broadcasters, THE
`VERGE (July 19, 2024 2:17 AM), https://www.theverge.com/2024/7/19/24201717/windows-
`bsod-crowdstrike-outage-issue.
`25 Davey Winder, Blue Screen of Death—Microsoft Says Turn It Off And On Again And Again
`And Again, Forbes (July 20, 2024 7:03 AM),
`https://www.forbes.com/sites/daveywinder/2024/07/20/blue-screen-of-death-microsoft-says-
`turn-it-off-and-on-again-and-again-and-again/.
`26 Wes Davis, CrowdStrike’s faulty update crashed 8.5 million Windows devices, says Microsoft,
`THE VERGE (July 20, 2024 12:20 PM),
`https://www.theverge.com/2024/7/20/24202527/crowdstrike-microsoft-windows-bsod-outage.
`
`10
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 11 of 27
`
`43.
`
`Falcon “follows a common practice of continuous integration and continuous
`
`delivery . . . such that software updates are deployed at once for many customers at scale.”27 In
`
`total, the “faulty update” caused a global technology disaster that affected 8.5 million Windows
`
`devices.28
`
`CrowdStrike Knew of the Risks of a Software Error
`
`44.
`
`At all relevant times, CrowdStrike knew, or should have known, that failing to
`
`develop, implement, and maintain reasonable software development, testing, and validation
`
`processes, procedures, or controls would inevitably result in it publishing and disseminating a
`
`software update containing serious flaws, errors, invalid data, or bugs.
`
`45.
`
`At all relevant times, CrowdStrike also knew, or should have known, that
`
`publishing and disseminating an update containing serious flaws, errors, invalid date, or bugs,
`
`would cause a massive and widespread outage of its customers’ computer systems.
`
`46.
`
`Software containing a flaw or bug can “degrade interconnected systems or cause
`
`serious malfunctions.”29 To prevent these issues, software testing is an essential practice to ensure
`
`software functions as expected and to detect serious flaws, errors, invalid data, or bugs in the
`
`software.30
`
`
`27 See Matt Kapko, CrowdStrike says flawed update was live for 78 minutes, CYBERSECURITY
`DIVE (July 23, 2024), https://www.cybersecuritydive.com/news/crowdstrike-flawed-update-78-
`minutes/722070/.
`28 Davis, supra note 26.
`29 What is software testing?, IBM, https://www.ibm.com/topics/software-testing (last accessed
`Aug. 5, 2024).
`30 The Importance of Software Testing, IEEE COMPUT. SOC.,
`https://www.computer.org/resources/importance-of-software-testing (last accessed Aug. 5,
`2024).
`
`11
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 12 of 27
`
`47.
`
`“The importance of effective testing cannot be overstated when developing and
`
`maintaining complex, reliable software systems in today’s world.”31 Indeed, CrowdStrike itself
`
`recommends that organizations search for and detect software bugs.32
`
`48. While companies such as CrowdStrike deploy security updates often, “it is
`
`important that they aren’t rushed and go through the basic due diligence to ensure something like
`
`CrowdStrike [O]utage doesn’t happen.”33 If a software update has the potential to affect “not just
`
`your users but your users’ users, you must slow-roll the release over a period of hours or days,
`
`rather than risk crippling the entire planet with one large update.”34
`
`49.
`
`In filings with the Security and Exchange Commission, CrowdStrike has
`
`acknowledged the risk that product enhancements “may have quality or other defects or
`
`deficiencies.”35 CrowdStrike also knew that, “[b]ecause our cloud native security platform is
`
`complex, it may contain defects or errors that are not detected until after deployment.”36 It further
`
`knew that “errors, defects or performance problems in our software” and “improper deployment
`
`or configuration of our solutions” could affect the delivery, availability, and performance of its
`
`Falcon platform.37
`
`
`
`31 Id.
`32 See Jacob Garrison, How to Secure Business-Critical Applications, CROWDSTRIKE (Feb. 9,
`2024), https://www.crowdstrike.com/blog/how-to-secure-business-critical-applications/.
`33 Shweta Sharma, CrowdStrike was not the only security vendor vulnerable to hasty testing,
`CSO ONLINE (July 29, 2024), https://www.csoonline.com/article/3478372/crowdstrike-was-not-
`the-only-security-vendor-vulnerable-to-hasty-testing.html.
`34 Id.
`35 Form 10-K, CROWDSTRIKE (Mar. 6, 2024), https://ir.crowdstrike.com/static-files/29e71f45-
`3c39-4c2c-9159-5e7bb9f3315b.
`36 Id.
`37 See id.
`
`12
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 13 of 27
`
`50.
`
`The aviation sector is considered part of America’s critical infrastructure according
`
`to the Cybersecurity and Infrastructure Security Agency.38 CrowdStrike knows its Falcon platform
`
`is used by airlines and airports.39
`
`51.
`
`CrowdStrike knew that the incapacitation of critical infrastructure systems, such as
`
`the aviation sector, “would have a debilitating effect on the security and safety of [American]
`
`citizens.”40 CrowdStrike also knew that “nearly all critical infrastructures rely heavily on cyber
`
`and network support to operate these essential systems.”41
`
`52.
`
`CrowdStrike knew that “[a]irport and aircraft operators run complex networks of
`
`IT and OT systems to move passengers and freight safely and efficiently across the United
`
`States.”42 It also knew that disruption of airline information technology and operational technology
`
`systems could cause “business degradation and disruption of airline operations.”43
`
`53.
`
`It is clear that the “tech providers that support infrastructure relied upon by the
`
`public and private sectors bear a responsibility to protect our safety and security.”44 Therefore,
`
`
`38 Transportation Systems Sector, CYBERSEC. & INFRASTRUCTURE SEC. AGENCY,
`https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-
`sectors/transportation-systems-sector (last accessed Aug. 5, 2024).
`39 E.g., Jamie Gale, Porter Airlines Consolidates Its Cloud, Identity and Endpoint Security with
`CrowdStrike, CROWDSTRIKE (Apr. 18, 2024), https://www.crowdstrike.com/blog/porter-airlines-
`consolidates-cybersecurity-with-crowdstrike/.
`40 Shawn Henry, Critical Infrastructure: One More Thing to Give Thanks For — and Protect,
`CROWDSTRIKE (Nov. 22, 2016), https://www.crowdstrike.com/blog/critical-infrastructure-one-
`thing-give-thanks-protect/.
`41 Id.
`42 Cyber Resilience for the Airline Industry, CROWDSTRIKE, https://www.crowdstrike.com/wp-
`content/uploads/2023/04/crowdstrike-cyber-resilience-for-airline-industry.pdf (last accessed
`Aug. 5, 2024).
`43 See id.
`44 Heidi Boghosian, Opinion: The CrowdStrike outage shows the danger of depending on Big
`Tech overlords, LA TIMES (July 23, 2024 12:07 PM),
`https://www.latimes.com/opinion/story/2024-07-23/crowdstrike-outage-microsoft-tech-security.
`
`13
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 14 of 27
`
`technology providers must prioritize security and reliability in their products “over other incentives
`
`such as cost, features, and speed to market.”45
`
`54.
`
`CrowdStrike, as a cybersecurity company, was and is well aware of the damage a
`
`large-scale IT system outage would cause. CrowdStrike also knew of the risks of system failures
`
`posed by software and software updates containing serious flaws, errors, invalid data, or bugs. It
`
`knows that the “adverse effects of any service interruptions . . . may be disproportionately
`
`heightened due to the nature of [its] business and the fact that [its] customers have a low tolerance
`
`for interruptions of any duration.”46
`
`55.
`
`CrowdStrike failed to adequately and reasonably test or validate the July 19, 2024
`
`update to ensure it did not contain any serious flaws, errors, invalid data, or bugs. Had CrowdStrike
`
`developed, implemented, and maintained reasonable software development, testing, and validation
`
`processes, procedures, or controls, it would have discovered the serious flaws, errors, invalid data,
`
`or bugs in the July 19, 2024 update and prevented the CrowdStrike Outage from occurring.
`
`56.
`
`For example, it is “a fairly standard practice to roll out updates gradually, letting
`
`developers test for any major problems before an update hits their entire user base.”47 If
`
`CrowdStrike had followed this industry-standard process, it would have discovered the flaws,
`
`errors, invalid data, or bugs in the update, and would not have published and disseminated the
`
`flawed update to all of its customers, including airlines48. This process would have prevented the
`
`global effects of the CrowdStrike Outage.
`
`
`45 Jessica Lyons, US cybersecurity chief: Software makers shouldn’t lawyer their way out of
`security responsibilities, THE REGISTER (Feb. 28, 2023 10:23 PM),
`https://www.theregister.com/2023/02/28/cisa_easterly_secure_software/.
`46 Form 10-K, supra note 35.
`47 Warren, supra note 1.
`48 See id.
`
`14
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 15 of 27
`
`57.
`
`The CrowdStrike Outage was entirely foreseeable, especially in light of other recent
`
`software problems that have similarly affected consumers. For example, in January, 2023, a
`
`damaged database file forced the FAA to impose a nationwide ground stop, which delayed more
`
`than 10,000 flights and resulted in over 1,300 flights being cancelled.49 In April, 2023, Southwest
`
`Airlines experienced a technology failure caused by a failure in vendor-supplied software.50 The
`
`technical issue forced Southwest Airlines to ground 1,820 flights nationwide.51 In 2010, an error
`
`in a security update for McAfee’s corporate antivirus software caused Windows computers around
`
`the globe to crash.52
`
`58.
`
`These and other similar events illustrate why it is “absolutely critical” that vendors
`
`supplying software updates or patches “thoroughly test [them] to ensure that those updates are not
`
`causing harm or outages.”53
`
`59.
`
`CrowdStrike knew or should have known of these and other similar instances of
`
`software and IT system failures, and CrowdStrike knew or should have known that publishing and
`
`
`49 David Shepardson et al., Airlines hope for return to normal Thursday after FAA outage snarls
`U.S. travel, REUTERS (Jan. 11, 2023 8:28 PM), https://www.reuters.com/business/aerospace-
`defense/us-faa-says-flight-personnel-alert-system-not-processing-updates-after-outage-2023-01-
`11/.
`50 See Allison Lampert & Rajesh Kumar Singh, Southwest network failure raises concerns over
`system’s strength, REUTERS (Apr. 20, 2023 5:00 AM),
`https://www.reuters.com/business/aerospace-defense/southwest-network-failure-raises-concerns-
`over-systems-strength-2023-04-19/.
`51 Stefanie Schappert, Southwest Airlines forced to ground all US flights – again, CYBERNEWS
`(Apr. 19, 2023 6:52 AM), https://cybernews.com/news/southwest-airlines-technical-issues-
`flights-grounded-again/.
`52 David Kravets, McAfee Probing Bungle That Sparked Global PC Crash, WIRED (Apr. 22,
`2010 1:24 PM), https://www.wired.com/2010/04/mcafeebungle/; Declan McCullagh, Buggy
`McAfee update whacks Windows XP PCs, CNN (Apr. 22, 2010 11:24 AM),
`https://www.cnn.com/2010/TECH/04/22/cnet.mcafee.antivirus.bug/index.html.
`53 Sharma, supra note 33.
`
`15
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 16 of 27
`
`dissemination a software update for its Falcon platform containing serious flaws, errors, invalid
`
`data, or bugs would cause similar flight delays and cancellations.
`
`The CrowdStrike Outage Caused Widespread Flight Delays and Cancellations
`
`60.
`
`The CrowdStrike Outage had major impacts on air travel within the United States
`
`and internationally. Airlines were hit “particularly hard” by the CrowdStrike Outage due to the
`
`aviation sector’s “sensitivity to timings.”54
`
`61.
`
`A statement by United Airlines indicated the CrowdStrike outage “affected many
`
`separate systems, such as those used for calculating aircraft weight, checking in customers, and
`
`phone systems in our call centers.”55 Plaintiffs and Class members “faced delays, cancellations
`
`and problems checking in as airports and airlines” were ground to a halt by the CrowdStrike
`
`Outage.56
`
`62.
`
`According to the Federal Aviation Administration, “several U.S. carriers, including
`
`American Airlines, United Airlines, and Delta Air Lines, issued ground stops for all their flights
`
`early on” Friday, July 19, 2024, due to the CrowdStrike Outage.57 By approximately 8:40 PM ET
`
`on Friday, July 19, 2024, over 3,000 flights had been canceled and over 11,000 flights had been
`
`
`54 Zach Wichter et al., 2,600+ US flights canceled: United, American Airlines resume service
`after global outage, USA Today (July 19, 2024 5:18 PM),
`https://www.usatoday.com/story/travel/news/2024/07/19/global-it-outage-flights-canceled-
`delayed/74466125007/.
`55 Zach Wichter et al., 1,600+ US flights canceled Saturday: United, Delta still working to
`recover from outage, USA TODAY (July 20, 2024 9:02 AM),
`https://www.usatoday.com/story/travel/airline-news/2024/07/20/flight-canceled-delta-
`united/74481266007/.
`56 Wichter et al., supra note 54.
`57 See id.
`
`16
`
`
`
`Case 1:24-cv-00881-RP Document 1 Filed 08/05/24 Page 17 of 27
`
`delayed.5