CrowdStrike has prevailed over a shareholder lawsuit for losses sustained following its world-freezing outage in July 2024.
A group of CrowdStrike shareholders had filed a lawsuit in Austin, Texas that accused the cybersecurity vendor of misleading shareholders about its Falcon software.
After a botched security update in Falcon led to an estimated 8.5 million Windows devices crashing at global airlines, banks, healthcare companies, and businesses, the complainants alleged CrowdStrike had not properly tested software updates before rolling them out.
The shareholders alleged CrowdStrike had “no test plans” or “quality assurance team”, despite reported comments from chief executive George Kurtz that the company’s software was “validated, tested and certified”.
A judge threw out the lawsuit after the plaintiffs failed to plausibly allege “strong circumstantial evidence of fraud or severe recklessness” from CrowdStrike, in a decision released Tuesday.
“Plaintiffs have failed to plausibly plead a strong inference of [intent to defraud] for the individual defendants or for CrowdStrike itself,” said US District Judge Robert Pitman.
“The court will grant defendants’ motion to dismiss.”
CrowdStrike chief legal officer Cathleen Anderson welcomed the court’s decision.
"We appreciate the court's thoughtful consideration and decision to dismiss this case,” she said in a statement.
Actually, you’re the problem
Not only did the court dismiss what was positioned as a historic lawsuit, but court documents showed shareholders themselves were deemed more misleading than CrowdStrike.
Led by New York State comptroller Thomas DiNapoli, the shareholders pointed to CrowdStrike statements in 2023 and 2024 that promised a “quality assurance team”.
The court, however, found “no reasonable investor” would have assumed purely from the statements that CrowdStrike had a quality assurance team that tested software updates.
“The court agrees with defendants that the statements pointed to by plaintiffs are ‘neither false nor misleading when considered in the context from which Plaintiffs removed them’,” read court documents.
“The court concludes that if anyone is being misleading, it is the plaintiffs.”
Further, the court found it was “borderline sanctionable” for the plaintiffs to assert CrowdStrike had been “false or, at minimum, misleading” in assuring investors it maintained such a team.
“CrowdStrike never told investors that it had a quality assurance team that assisted with software updates,” read court documents.
CrowdStrike was misleading, but not enough for a lawsuit
However, the plaintiffs did in fact uncover a handful of misleading statements, according to the court.
These statements concerned CrowdStrike’s compliance with security requirements set out by federal authorities, but were ultimately just two of 15 statements put forth by the shareholders.
In one example, the plaintiffs argued statements from Kurtz omitted that CrowdStrike prioritised speed over quality control and did not test its software updates for “insecure code”.
They also argued that in a 2023 earnings call Kurtz made false or misleading statements about the prevention of ‘blue screens of death’ when he explained Falcon could be used to remotely fix such crashes on devices running Microsoft Windows.
Ultimately, the court found the plaintiffs failed to plausibly allege either a “motive for fraud” or strong circumstantial evidence of fraud or severe recklessness.
Notably, the case could still proceed given Pitman has provided the plaintiffs the chance to file an amended complaint.
DiNapoli’s office told US media “the decision is under review”.
CrowdStrike has also faced a lawsuit from America’s Delta Airlines, which sought $US500 million ($750 million) in damages following major flight disruptions in the wake of the outage.
A similar lawsuit by airline passengers was dismissed by Pitman in June, though the plaintiffs are appealing the decision in a New Orleans federal appeals court.
