CrowdStrike sued after update caused global outages, likely more to come

AUSTIN (KXAN) — A lawsuit filed Tuesday against cybersecurity company CrowdStrike claims that the company made "false and misleading statements" about its operations in order to "artificially inflate" its stock price.

The Plymouth County Retirement Association brought the lawsuit, which was filed in the Western District Court of Texas. Judge Robert Pitman will preside over the case.

“We believe this case lacks merit and we will vigorously defend the company,” said a CrowdStrike spokesperson in an email to KXAN.

Lawyers for the association said that CrowdStrike misled investors by allegedly claiming its technology was "validated, tested, and certified."

"CrowdStrike had instituted deficient controls in its procedure for updating Falcon and was not properly testing updates to Falcon before rolling them out to customers," alleged the plaintiffs. "This inadequate software testing created a substantial risk that an update to Falcon could cause major outages for a significant number of the Company’s customers...and such outages could pose, and in fact ultimately created, substantial reputational harm and legal risk to CrowdStrike."

On July 19, a bug in CrowdStrike's Falcon Sensor program (a component in the company's Falcon platform) caused computer systems to continually restart. A patch was quickly released, but the outages led to global disruptions in air travel, banking and other sectors.

This, along with Congress calling on the CEO to testify and Delta Air Lines' announcement of a lawsuit, caused CrowdStrike's stock price to drop to a current price of around $233. A week prior to July 19, the price was around $371.

According to CrowdStrike's preliminary review of the incident, the bug was released due to an error in the the company's Content Validator program, which approves updates prior to release. After that, another program automatically released the update.

"Based on the testing performed before the initial deployment of the Template Type (on March 05, 2024), trust in the checks performed in the Content Validator, and previous successful IPC Template Instance deployments, these instances were deployed into production," the report stated.

The lawsuit is also a class-action, opening up the possibility for damages to be awarded to other investors. Other legal firms have also asked for investors to contact them, potentially signaling additional lawsuits in the future.

"Plaintiff and [other investors] would not have purchased CrowdStrike stock at the prices they paid, or at all, if they had been aware that the market prices had been artificially and falsely inflated by Defendants’ misleading statements," the lawsuit stated.