When your cybersecurity firm tasked with guarding against harmful malware unleashes the biggest global IT outage in history, there’s really nowhere to hide. So Shawn Henry cut straight to the chase.
“On Friday we failed you, and for that I’m deeply sorry,” began the post, written by CrowdStrike’s chief security officer.
An update pushed out from the cloud just hours before the work week came to an end caused Windows-based computer systems to crash, boot up and crash again in an endless loop punctuated only by the so-called BSOD, or Blue Screen of Death.
Key industries around the world that used Crowdstrike’s Falcon software—like aviation, banking, and health care—were paralyzed for hours if not days. Delta Airlines is still reeling, cancelling hundreds of flights on Monday and leaving passengers stranded for days on end.
This CrowdStrike outage is a thing of nightmares. Imagine having to have to walk to each of the downed systems and manually fix it. Even worse with FDE.
— Tim Medin 🇺🇦🌻 (@TimMedin) July 19, 2024
I have flashbacks of Nimda and the reboot loop, but this is worse. pic.twitter.com/qY5apjMBaU
“The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch,” Henry continued. “We let down the very people we committed to protect, and to say we’re devastated is a huge understatement."
The genuine contrition expressed differed notably from the message coming from CEO and founder George Kurtz, whose company's stock has already lost roughly a quarter of its value as investors await word of possible lawsuits.
Kurtz’s initial statement on Friday appeared so sanitized that customers could have been forgiven for thinking the problem might have lain elsewhere. Since there was no direct acknowledgement of CrowdStrike’s culpability, there was not so much as a curt word of apology.
not even an apology? Bold strategy.
— Tom Warren (@tomwarren) July 19, 2024
His reaction came as somewhat of a surprise. In theory Kurtz should have some practice in crisis communications, since he served as the chief technology officer for McAfee at the time when it, too, knocked out millions of computers worldwide in 2010.
Now, U.S. House leaders are calling Kurtz to testify before Congress to explain the software update fiasco.
Businesses most affected were those providing critical services
For some customers, the words of his CSO come too little too late.
“We just deleted Crowdstrike from all our systems,” Elon Musk posted on Friday, though he wasn't clear whether he was talking about one or all of his businesses.
We just deleted Crowdstrike from all our systems, so no rollouts at all
— Elon Musk (@elonmusk) July 19, 2024
In terms of lost economic output, it’s hard to precisely measure the havoc his software firm visited upon the world. Microsoft estimated just 8.5 million Windows devices, or less than 1% of all machines, were affected at the end of the day. The problem was the concentration of industries relying on CrowdStrike’s Falcon software.
“While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services,” Microsoft said on Saturday.
Investors have since flocked to smaller rival SentinelOne, whose stock has gained more than 20% since Friday. The CrowdStrike debacle may have also factored into cybersecurity firm Wiz now passing on a reported deal to be acquired by Google parent Alphabet, reportedly worth $23 billion.
Upon seeing the pullback in CrowdStrike, analysts at Deutsche Bank sought to rush out a quick broker note identifying it as a short-term buying opportunity for such a high-quality stock.
“However,” it added, “we were ironically unable to publish our original research note due to the outage itself.”