We finally know what caused the global tech outage - and how much it cost | CNN Business (2024)

We finally know what caused the global tech outage - and how much it cost | CNN Business (1)

After multiple cancelled flights to Washington D.C., Delta Airlines passengers Patty (L) and Alice Crump get ticketing assistance from an agent at Hartsfield-Jackson Atlanta International Airport.

CNN

Insurers have begun calculating the financial damage caused by last week’s devastating CrowdStrike software glitch that crashed computers, canceled flights and disrupted hospitals all around the globe — and the picture isn’t pretty.

What’s been described as the largest IT outage in history will costFortune 500 companies alone more than $5 billion in direct losses, according to one insurer’s analysis of the incident published Wednesday.

The new figures put into stark relief how a single automated software update brought much of the global economy to a sudden halt — revealing the world’s overwhelming dependence on a key cybersecurity company — and what it will take to recover.

Theestimates come the same day that CrowdStrike issued a preliminary report on how it inadvertently caused the widespread IT meltdown. It is the most detailed technical analysis to date of the outage.

Businesses are scrambling to recover – especially Delta Air Lines. Delta is still dealing with fallout from the glitch, as thousands of flights have been canceled. The Department of Transportation is investigating.

Numerous Fortune 500 companies use CrowdStrike’s cybersecurity software to detect and block hacking threats. But when CrowdStrike issued an update last week to its signature cybersecurity software, known as Falcon, millions of computers around the world running Microsoft Windows crashed because of the way that the update interacted with Windows.

The health care and banking sectors were the hardest hit by CrowdStrike’s mishap, with estimated losses of $1.94 billion and $1.15 billion, respectively, said Parametrix, the cloud monitoring and insurance firm behind Wednesday’s analysis.

Fortune 500 airlines such as American and United were the next most affected, losing a collective $860 million, Parametrix said.

All told, the outage may have cost Fortune 500 companies as much as $5.4 billion in revenues and gross profit, Parametrix said, not counting any secondary losses that may be attributed to lost productivity or reputational damage. Only a small portion, around 10% to 20%, may be covered by cybersecurity insurance policies, Parametrix added.

Fitch Ratings, one of the largest US credit ratings agencies, said Monday that the types of insurance likely to see the most claims stemming from the outage include business interruption insurance, travel insurance and event cancellation insurance.

“This incident highlights a growing risk of single points of failure,” Fitch said in a blog post, warning that such single points of failure “are likely to increase as companies seek consolidation to take advantage of scale and expertise, resulting in fewer vendors with higher market shares.”

The eye-popping damage estimates underscore how a preventable mistake at one of the world’s most dominant cybersecurity firms has had cascading effects for the global economy — and may prompt more calls for CrowdStrike to be held accountable.

What went wrong

On Wednesday, CrowdStrike released a report outlining the initial results of its investigation into the incident, which involved a file that helps CrowdStrike’s security platform look for signs of malicious hacking on customer devices.

The company routinely tests its software updates before pushing them out to customers, CrowdStrike said in the report. But on July 19, a bug in CrowdStrike’s cloud-based testing system —specifically,the part that runs validation checks on new updates prior to release — ended up allowing the software to be pushed out “despite containing problematic content data.”

The bad release was published just after midnight Eastern time on July 19, and rolled back an hour and a half later, at 1:27 a.m. Eastern, CrowdStrike said. But by then millions of computers had already automatically downloaded the faulty update. The issue affected only Windows devices, not Mac or Linux machines, and only those that were switched on and able to receive updates during those early morning hours.

Thanks to the timing of the incident, organizations in Europe and Asia “had more of their work day affected by the outage, unlike the Americas,” Fitch wrote in its blog post.

When Windows devices using CrowdStrike’s cybersecurity tools tried to access the flawed file, it caused an “out-of-bounds memory read” that “could not be gracefully handled, resulting in a Windows operating system crash,” CrowdStrike said.

That’s the Blue Screen of Death that many people reported seeing on their machines, and that only a manual intervention to delete the bad file could fix — a slow, painstaking process when you consider that as many as 8.5 million individual devices will need to be reset this way.

That figure is small as a percentage of the wider Windows ecosystem, said Microsoft — a company that played no direct role in the outage. Still, Microsoft said in a blog post, it “demonstrates the interconnected nature of our broad ecosystem.”

CrowdStrike said that the testing and validation system that approved the bad software update had appeared to function normally for other releases made earlier in the year. But it pledged Wednesday to keep software glitches like last week’s from happening again, and to publicly release a more detailed analysis when it becomes available.

The company added that it is developing a new check for its validation system “to guard against this type of problematic content from being deployed in the future.”

And CrowdStrike said it also plans to move to a staggered approach to releasing content updates so that not everyone receives the same update at once, and to give customers more fine-grained control over when the updates are installed.

CNN’s Sean Lyngaas contributed to this report

We finally know what caused the global tech outage - and how much it cost | CNN Business (2024)

FAQs

How much did CrowdStrike outage cost? ›

The days-long cyberincident — which grounded planes, shuttered businesses and stopped markets — cost Fortune 500 companies about $5.4 billion in damages, according to insurance company Parametrix. But insured losses are expected to be far less than that.

How much did the CrowdStrike incident cost? ›

Many industries were affected—airlines, airports, banks, hotels, hospitals, manufacturing, stock markets, broadcasting, gas stations, retail stores, and more—as were governmental services, such as emergency services and websites. The worldwide financial damage has been estimated to be at least US$10 billion.

What was the cause of CrowdStrike outage? ›

The outage that started July 19 was caused by a malformed update that was sent to a piece of security software called “CrowdStrike Falcon.” While CrowdStrike may not be a household name, it is a major enterprise security company that builds what we call Endpoint Detection and Response (EDR) software.

How much money was lost due to CrowdStrike? ›

According to data from Parametrix, the global IT outage linked to CrowdStrike is likely to have caused at least $5.40 billion in direct financial losses for Fortune 500 companies, excluding Microsoft. Cyber insurance is expected to cover only 10% to 20% of these losses.

How much money did Delta lose because of CrowdStrike? ›

The US-based carrier accused the cybersecurity company of "negligence", saying it was forced to cancel thousands of flights because and had lost at least $500m (£392m) as a result.

Could CrowdStrike outage cost $5.4 B? ›

The global technology outage sparked by CrowdStrike's faulty update will cost US Fortune 500 companies $5.4bn, insurers estimated, as the cybersecurity firm vowed to make changes to prevent it from happening again.

What was the root cause of the CrowdStrike issue? ›

CrowdStrike has published its root cause analysis about the update crash that turned off millions of Microsoft Windows devices globally. The crash occurred because there was a mismatch between the 21 inputs passed to the CrowdStrike content validator and the 20 supplied to the content interpreter.

What caused global tech outage? ›

But when CrowdStrike issued an update last week to its signature cybersecurity software, known as Falcon, millions of computers around the world running Microsoft Windows crashed because of the way that the update interacted with Windows.

Why did CrowdStrike drop so much? ›

While investors were sleeping, CrowdStrike released a defective update to its software that caused Microsoft-based IT systems to go down.

Can CrowdStrike survive? ›

CrowdStrike will likely survive and move forward, but, reputationally, it can't afford another incident like this, said William MacMillan, a former CISO at the CIA.

Is CrowdStrike legally liable? ›

The overall consensus among legal experts is that CrowdStrike is likely protected by its terms and conditions from reimbursing customers for more than they paid for the product, limiting its software liability in what the company now refers to as "the Channel File 291 Incident." However, the fact that affected ...

Who funds CrowdStrike? ›

CrowdStrike is supported by original investor Warburg Pincus and other prominent investors including Accel, CapitalG, IVP, March Capital, General Atlantic, Rackspace, and Telstra Ventures.

How much did CrowdStrike pay? ›

The average CrowdStrike salary ranges from approximately $70,476 per year for Contract Administrator to $260,000 per year for Vice President of Marketing. Average CrowdStrike hourly pay ranges from approximately $20.83 per hour for Sales Intern to $30.50 per hour for Executive Assistant.

How much does CrowdStrike complete cost? ›

Based on Vendr's internal transaction data for CrowdStrike, the minimum price varies based on a company's specific needs, while the maximum price can reach up to $950,000. Our data reveals that the average cost for CrowdStrike software is about $90,000 annually.

What is the price estimate for CrowdStrike? ›

The average price target for CrowdStrike Holdings is $325.17. This is based on 40 Wall Streets Analysts 12-month price targets, issued in the past 3 months. The highest analyst price target is $420.00 ,the lowest forecast is $265.00. The average price target represents 15.35% Increase from the current price of $281.91.

How much debt does CrowdStrike have? ›

Total debt on the balance sheet as of April 2024 : $0.79 B

According to CrowdStrike's latest financial reports the company's total debt is $0.79 B.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Chrissy Homenick

Last Updated:

Views: 6333

Rating: 4.3 / 5 (74 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Chrissy Homenick

Birthday: 2001-10-22

Address: 611 Kuhn Oval, Feltonbury, NY 02783-3818

Phone: +96619177651654

Job: Mining Representative

Hobby: amateur radio, Sculling, Knife making, Gardening, Watching movies, Gunsmithing, Video gaming

Introduction: My name is Chrissy Homenick, I am a tender, funny, determined, tender, glorious, fancy, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.