Hospitals scrambled for backup plans. Shippers UPS and FedEx warned of delays. Media outlets went offline.
Those are just a few examples of businesses whose operations were thrown into disarray last Friday by a flawed software update from cybersecurity vendor CrowdStrike.
And that’s only one side of the crisis. Consumers felt the effects of a flawed piece of code both in small ways — some online ordering at Starbucks was disrupted — to major inconveniences, as personal computers stopped working and hosts of flights were canceled.
CrowdStrike, a security vendor whose partners range from tech giants like Microsoft to federal agencies and financial institutions, can’t be accused of not proactively trying to get ahead of the story.
Within hours, CrowdStrike CEO George Kurtz appeared on Today to apologize for the outage. Notably, he also said the company had identified the problem, telling hosts, “We know what the issue is.”
Kurtz also posted on X repeatedly on Friday. He urged customers to communicate with CrowdStrike representatives through official channels and provided critical information, such as that the glitch was affecting users running Microsoft’s Windows operating systems, but not Linux or Apple’s iOS. Critically, he made clear that the incident was not a cyberattack or the work of malicious actors.
As CrowdStrike released a fix for the faulty update, Kurtz directed the public to the company’s website, where it has since released a range of information about the incident, from technical specs to an apology from Kurtz and later an incident review.
Yet while the company’s actions made the grade for a cybersecurity response, it may have lost sight that what started as a B2B crisis became B2C catastrophe, leaving travelers stranded in airports across the country.
“They were doing the B2B playbook right, communicating that they’re on the case and saying they had resolved it within a few hours. From the B2B playbook, they ticked all the right boxes,” notes Giles Peddy, MD for the U.K. and Europe at SourceCode Communications and the former CEO of tech consultancy Missive. “From the corporate perspective, they did all the right things, but this was almost like a run on a bank. It went out into the consumer world…and the playbook was slightly missing on that.”
Peddy’s colleague, SourceCode EVP and head of technology and innovation Kevin Dulaney, adds that technology companies often fall back on their contingency plans during a crisis. “Unfortunately, customers don’t see it that way. They see it as ‘I’m missing a wedding or I’m missing my grandmother’s birthday,’” he says.
CrowdStrike may have prioritized its biggest customers in a moment of crisis in lieu of the general public, note other experts, who say partners would have dealt directly with angry customers.
“CrowdStrike makes its money off large companies, and that is who they had to communicate with when the crisis first broke out. Someone walking into a hospital for a planned surgery and being turned away isn’t going to know who CrowdStrike is,” notes PAN Communications SVP Gene Carozza, via email. “It’s best to inform the companies affected and let them manage their customer relations issues. They best know how to handle these situations with their own customer base.”
CrowdStrike representatives did not reply to requests for comment.
Many of CrowdStrike’s business partners have been conducting active clean-ups this week. In a blog post on Wednesday, Delta Air Lines CEO Ed Bastian explained that his company has issued vouchers and SkyMiles as an apology for delays and cancelations, while acknowledging that the carrier’s “initial efforts to stabilize the operations were difficult and frustratingly slow and complex.”
Arguably no company faced as much collateral damage from the incident as Microsoft, both with members of the public frustrated by their inability to use their own devices, and by stories in the media that painted the outages as a Microsoft crisis, rather than one caused by Crowdstrike. Indeed, images in stories and segments outlets around the world showed the “blue screen of death” displayed on Windows PCs when a problem forces the operating system to shut down or restart.
The Redmond, Washington-based company published a blog post explaining the cause of the issue — mentioning CrowdStrike several times — and CEO Satya Nadella posted on X about its response hours after the incident began. The lead communications executive at Microsoft, which has a combative history with CrowdStrike, aggressively pushed back on journalists on X for what his company saw as unfair coverage.
The reputation damage suffered by companies not at fault for the outage reinforces that it’s critical to build in problems caused by vendors and other business partners into crisis plans, says FleishmanHillard global director of cybersecurity Scott Radcliffe.
He says that even brands that were not affected by the outage should be paying attention and changing their contingency plans where appropriate, noting increased risk from employees working off-site and with a mixture of personal and professional devices.
“There is a trend here recently where organizations that have a relationship with you but are not necessarily within your four walls can dramatically affect your business and your continuity,” he says. “I would stress the most that [brands] should be making sure they have not just a well-defined process but a process that communications leaders are very intimately involved in.”
The clean up continues for many companies, and for CrowdStrike, the crisis is far from over. Republicans on the House Homeland Security Company are planning to haul Kurtz to Capitol Hill for testimony, and the company’s financial reporting will be under greater scrutiny because of the incident, according to The Wall Street Journal. Adding to the pile-up, CrowdStrike may have scored an own goal this week when it issued $10 UberEats gift cards to affected customers, a gesture that was widely panned on social media.
“The lesson there is whatever you send out to everyone, is all in the public domain,” says Dan Bird, SVP at Fight or Flight, who agrees that many companies are revisiting their crisis plans this week. “Those things are going to make it out to the press, and you really have to consider the perception if it does make it out to the media.”
This story first appeared on PRWeek U.S.
