Legislation & Litigation
,
Standards, Regulations & Compliance
Investors Say Cybersecurity Company Made False and Misleading Statements About Tech
CrowdStrike is facing a putative class action lawsuit from investors arguing they were misled by the company and told its technology was “validated, tested and certified” before a faulty update triggered a global IT outage in late July.
See Also: Webinar | Using the NIST Privacy Framework to Solve Common Data Privacy Problems
The Plymouth County Retirement Association alleges that CrowdStrike employed inadequate controls and failed to properly test updates to its Falcon endpoint detection and response platform before rolling them out to customers and causing major widespread outages starting on July 19. The lawsuit also alleges that CrowdStrike stock was trading “at artificially high prices” as a result of “materially false and misleading statements and omissions.”
Millions of Windows hosts were affected by the faulty CrowdStrike update, which led to disruptions at major hospitals and airports and a wide range of public safety concerns (see: Microsoft Sees 8.5M Systems Hit by Faulty CrowdStrike Update). The software flaw caused Windows PCs to display the infamous “blue screen of death” in an endlessly reoccurring system reboot.
CrowdStrike’s stock prices plummeted nearly 32% following the global outage and wiped out nearly $25 billion of market value beginning July 19, according to the lawsuit. The investors said 911 hotlines became inoperable and airlines were forced to ground thousands of flights after a system issue allowed the update to go through without proper testing.
“Since the CrowdStrike Outage, publicly revealed evidence indicates that CrowdStrike was taking insufficient precautions regarding such updates,” the lawsuit says.
Nearly all affected Windows PCs have resumed normal operations, according to CrowdStrike. CEO George Kurtz offered an apology on LinkedIn, saying: “I am deeply sorry for the disruption this outage has caused and personally apologize to everyone impacted.”
“While I can’t promise perfection, I can promise a response that is focused, effective, and with a sense of urgency,” Kurtz said, adding that the company’s recovery efforts have been aided by automatic techniques. The CEO also said that CrowdStrike has published a preliminary incident report detailing additional steps it will take to prevent similar incidents.