It Wasn’t Me: Lessons Learned from Delta’s CrowdStrike Debacle

By Amelia Fogg, Director

Fallout from last month’s catastrophic IT outage has spiraled into a dramatic, finger-pointing spectacle between Delta Air Lines, CrowdStrike, and Microsoft, complete with public legal threats and dueling demand letters.  This post discusses Delta’s communications strategy and lessons that can be learned as the airline contends with $500 million in losses, reputational damage, and lingering questions about its slow recovery from the IT disruption.

Shots Fired

The accusations began when Bastian appeared on CNBC on July 31 to discuss the incident and not-so-subtly preview legal action against CrowdStrike and Microsoft. Bastian reiterated the company’s apology to customers and briefly acknowledged Delta’s commitment to rethinking its operations systems to mitigate future risk. But instead of further detailing Delta’s plans to strengthen its IT infrastructure and digital resilience, he then began playing the blame game, framing this incident as a call to “[make] sure big tech is responsible” and citing tech companies’ “crazy valuations” to suggest that the incident was a consequence of prioritizing growth over delivering exceptional service.

Bastian concluded that Delta has no choice but to sue for damages, stating: “We have to protect our shareholders. We have to protect our customers, our employees, for the damage, not just to the cost of it, but to the brand, the reputational damage.”

A few days later, both CrowdStrike and Microsoft responded to Delta’s threats via publicized legal letters, claiming that Delta turned down or ignored repeated offers for assistance throughout the outage. The companies accused Delta of putting forth a misleading narrative that misplaces blame for Delta’s own IT decisions and response to the outage and failing to take responsibility for its actions.

What We Can Learn

While this situation will likely play out over time, there are lessons that we can take away from Bastian’s flawed communications approach.

Lesson #1: When it comes to high-profile lawsuits, the juice may not always be worth the squeeze:  Delta’s decision to threaten legal action on live television may have satisfied certain stakeholders, but others are unlikely to respond favorably to his placing of blame on others considering how painfully slow Delta’s recovery has been. This strategy also provided fodder for CrowdStrike and Microsoft to publicly attack Delta and prolonged a negative news cycle, setting the stage for a very public, expensive, and distracting legal fight.  

The Takeaway: Companies should consider their reputations when determining whether to pursue legal action and any related communications strategy. Stakeholders expect accountability when things go wrong, but pursuing litigation that squarely blames another party precludes companies from shouldering any responsibility. Entering into highly publicized litigation may not be worthwhile if it will drag your company through the mud, erode stakeholder confidence in the process, and destroy long-term value – possibly more value than can be gained from a successful litigation outcome.

Lesson #2: Take the long view: The strength of Delta’s legal arguments remains to be seen. However, Delta’s hardline narrative – that CrowdStrike and Microsoft bear full responsibility for its extended service meltdown – offers little margin for error and could undermine the airline’s credibility if information later emerges through discovery or the Department of Transportation’s federal investigation showing that Delta was partially or completely at fault for the slow recovery. For example, the vendors’ claims about Delta’s outdated IT infrastructure and refusal to accept assistance have already begun to seed doubt about Delta’s claims in the court of public opinion.

The Takeaway: The truth will almost always come out, especially in litigation – and as a result, it’s important that companies stick to known facts and avoid overly firm, stubborn stances that may easily be refuted and damage credibility in the long run. To manage this risk when the facts are in flux, focus on the fix not the fault.