Good morning.
Is it too late now to say sorry? By the time CrowdStrike CEO George Kurtz posted a message on X about the software “defect” that unleashed global chaos on Friday, his problem was technically solved. The issue had been “identified, isolated and a fix has been deployed,” he wrote. While the bug hit less than 1% of Windows devices, it grounded more than 6% of the world’s commercial flights. It also halted surgeries, broadcasts, money transfers, 911 call centers, train systems, stores, hotel reservations, mobile apps, and some government services. As of yesterday, many were still scrambling to recover.
Now, Kurtz and CrowdStrike enter a risky period. A cybersecurity company’s software update just wreaked more havoc than any virus it was designed to block. Losses could rise into the billions and customers will at least pause to examine the perils of being too tied to one technology. Hackers are creating new security threats, the stock is down by almost a third, and Kurtz is being called to testify before Congress.
The fact that this catastrophe was caused by CrowdStrike’s failure made it all the more notable that Kurtz didn’t apologize from the outset. A few hours later, he did go on the Today show to say “we’re deeply sorry,” later giving a personal apology to those impacted on another show. (That appears to be the extent of his media tour, by the way.) As reputation guru Davia Temin told me on Saturday, “What you say first counts double as that’s the sentiment people remember.”
Some CEO statements are so mind-boggling that they’re hard to shake, from the then BP chief Tony Hayward saying “I’d like my life back” after the deadly Deepwater Horizon disaster in 2010 to Boeing CEO David Calhoun telling a Senate subcommittee “I’m proud of our safety record” just last month.
Prior to Friday’s outage, CrowdStrike was one of the best-performing stocks this year. It’s likely built a reservoir of goodwill with customers, who could forgive—though Elon Musk did not, announcing on X that he’d removed CrowdStrike from all systems. At the same time, having experienced a major IT crash while serving as CTO of McAfee in 2010, Kurtz should have been better prepared to handle this kind of crisis.
And yet CrowdStrike’s response remains, at best, underwhelming. Three days after what may be the largest IT outage in history, CrowdStrike’s home page looked cluelessly upbeat—boasting the “fastest mean time to detect.” Does waiting 78 minutes to detect and roll back a carnage-causing update qualify as fast? There’s no mention of that incident, other than a subtle link to a “remediation and guidance hub” with PR statements that look like a user manual.
I know this because CrowdStrike responded to my request for comment from Kurtz by sending me links to those statements. To be fair, Kurtz must be getting a lot of requests—from media, customers, vendors, lawyers and more. Maybe Kurtz felt a few TV hits were sufficient to get the word out. It was a summer Friday, after all.
More news below.
Diane Brady
diane.brady@fortune.com
Follow on LinkedIn
