Cyber security company CrowdStrike says it will give affected customers at least $88 million ($US60 million) in credits and has cut its revenue and profit forecasts after a fault in a software update caused more than 8.5 million computers to crash in July.
The American firm said its reduced guidance to investors on Wednesday was partly due to the estimated cost of what it called its “customer commitment package” — but that cost could grow, with affected companies such as Delta Airlines already seeking damages.
The Wall Street Journal reported CrowdStrike had also spent around $7.4 million ($US5 million) in legal fees and other expenses following the incident on 19 July, but the company said it was too early to estimate further legal liabilities.
CrowdStrike said it now expected its annual revenue to be between $US3.89 billion and $US3.90 billion, after previously expecting more than $US3.98 billion.
The company’s co-founder and CEO George Kurtz said the firm had become “even more resilient and even more customer-obsessed" after working with its customers to recover from the July outage, which was one of the worst in history.
“Our vision and mission of stopping breaches remains unchanged,” he said.
“… I want to thank all of our customers for their trust and support, as well as our team and partners for coming together to respond to the July 19th incident.”
CrowdStrike CFO Burt Podbere said he expected the company to face challenges for the next 12 months.
Shaul Eyal, an analyst with investment bank TD Cowen, told Reuters, "The overall view is skies are not falling in light of the [19 July] outage," adding that CrowdStrike’s second-quarter results and guidance were "better than feared".
The value of CrowdStrike shares has fallen around 20 per cent since the outage.
CrowdStrike, its CEO George Kurtz (left), and CFO Burt Podbere (right) are now defendants in multiple lawsuits. Photos: CrowdStrike / Supplied
CrowdStrike faces lawsuits and Windows changes
Last month's global outage was caused by a bug in an update to CrowdStrike’s Falcon software, which caused computers running Falcon on Microsoft’s Windows operating system to crash, leaving them stuck on the so-called Blue Screen of Death.
The incident affected many large organisations including news broadcasters, banks, airlines, and retailers.
In its full root cause analysis published earlier in August, CrowdStrike defended accusations that it had not tested the problematic update before it was rolled out.
The company, as well as its CEO and CFO, are facing multiple class action lawsuits from shareholders who have accused them of being misleading and causing “substantial reputational harm and legal risk” to the firm.
CEO Kurtz has also been called on to testify before US Congress about the July incident, but a date has not been set.
Microsoft, meanwhile, has planned a cyber security summit at its headquarters in the US state of Washington on 10 September, in wake of the CrowdStrike incident.
Representatives from CrowdStrike and other Microsoft partners are expected to attend, and the company has also invited US government representatives.
“The CrowdStrike outage in July 2024 presents important lessons for us to apply as an ecosystem,” Microsoft said.
“Our objective is to discuss concrete steps we will all take to improve security and resiliency for our joint customers.”
Last month, Microsoft flagged possible changes to Windows which could see cyber security platforms such as CrowdStrike’s Falcon granted lower levels of access to the Windows operating system.
