The CrowdStrike Outage Is a Lesson in Crisis Communications

It’s been a tough few days for CrowdStrike and its biggest customer brands. Microsoft, Delta and others were directly impacted by the global outage on July 18, with many citing the blue screen of death as a sign that Y2K was finally happening in 2024.

The incident unfolded when a faulty CrowdStrike update compromised 8.5 million Windows devices globally. Although Microsoft emphasized that this number was less than 1% of all Windows machines, the proportion bore significant consequences due to the kind of organizations CrowdStrike serves: airlines, hospitals, banks and telecommunications companies—hubs of critical infrastructure.

The financial repercussions for CrowdStrike were immediate and severe: a 22% plunge in stock value, erasing nearly $16 billion from the company’s market capitalization. The ripple effect of this financial hit was felt across sectors, prompting concerns about the robustness of digital infrastructures and the legal landscapes governing such large-scale failures.

Brands like Delta and Microsoft faced backlash for their communication (or lack thereof). But the CrowdStrike team, despite the consequences that impacted stocks and brand perception, gave us all a lesson in crisis communications. What made some brand communications hit while others missed?

Brand missteps and consequential chaos 

Delta Airlines emerged as a key brand for negative sentiment as the carrier struggled with extensive flight cancellations and delays. U.S. Secretary of Transportation Pete Buttigieg had to remind Delta about the laws that safeguard airline customers, highlighting the volatility and public dissatisfaction during the ordeal.

Delta was criticized for its lack of immediate and transparent communication. Passengers across various airports were left in limbo, evidenced by countless social media posts capturing scenes of exasperation and hours-long waits. Industry experts have since argued that Delta’s handling could have been markedly improved by proactively managing and distributing more accurate information and reassurances through various channels to maintain customer trust and mitigate frustration.

For many travelers, their frustration over missed honeymoons and family get-togethers was only made worse by feeling like they were abandoned by gate agents and staff at the airports. 

Microsoft also had to contend with public backlash. While the company clarified the extent of the outage and provided guidance on workarounds, the extended disruption highlighted vulnerabilities in relying on third-party cybersecurity solutions. Businesses ranging from media outlets to government offices felt the sting, grappling with operational downtimes and financial losses that experts estimate could balloon into billions of dollars.

Unlike Delta’s backlash, Microsoft’s was a mixture of frustration and memes, with many joking that while Windows products weren’t working, somehow Microsoft Teams still was. This, in addition to multiple memes about the blue screen of death, made it absolutely impossible to hide from the outage. 

CrowdStrike’s response

CrowdStrike CEO George Kurtz faced considerable scrutiny for delivering an apology that some felt was insufficiently forthright or empathetic. Critiques emerged almost immediately, with individuals like Lulu Cheng Meservey of PR firm Rostra taking to Twitter to rewrite his response.

These critiques pointed to a need for a more heartfelt and transparent acknowledgment of the distress caused.

On Sunday, CrowdStrike chief security officer Shawn Henry issued a personal and heartfelt apology encapsulating the gravity of the situation and the company’s commitment to rectifying its mistake:

This statement is a model of what effective crisis communication should look like. Henry’s message is powerful because it:

Acknowledges the issue: Henry starts by admitting the failure openly, a crucial first step in regaining trust. 

Expresses sincere apology: The apology is genuine and heartfelt, reinforcing the company’s accountability. 

References past authority: By highlighting his and the company’s prior successes and dedication, Henry reminds stakeholders of the contributions that have cemented their trust over the years. 

Makes a personal connection: The message is personal and reflective, which helps build an emotional connection with the audience. 

Commits to action: By promising to learn and grow from the incident, Henry positions CrowdStrike as committed to continuous improvement and reliability. 

This response can’t and won’t be the last; the core response needs to be how the situation was resolved and what measures are being taken to prevent this from occurring again. Trust must be rebuilt from the ground up, and while this apology is a great start, it needs to be followed up with action to make sure customers stay. 

Moving forward

The overarching takeaway from this debacle is the critical importance of devising resilient risk management frameworks. The interconnectedness of modern digital ecosystems demands cybersecurity measures that not only protect but also swiftly adapt to and rectify vulnerabilities.

Effective communication, swift action plans and customer-centric approaches will be paramount in navigating and mitigating such disruptions in the future.

While these types of incidents are hard to predict, having brands build a culture of action and empathy is necessary to maintain a sense of trust with customers who expect the worst not to happen. Contingency planning with heart is how you win and course-correct. 

For more details on CrowdStrike’s remediation efforts, visit their Remediation and Guidance Hub.