This corporate crisis wasn't supposed to happen — not to this company, and certainly not to this extent.
When CrowdStrike sent customers a faulty update to its cybersecurity software in mid-July, the routine event quickly snowballed into an information technology outage of historic proportions. CrowdStrike stock fell into a tailspin as countless industries ground to a halt, causing more than $10 billion in estimated damages and leaving the company with a huge crisis management challenge.
Up to that point, the tech world — and the financial universe, for that matter — held CrowdStrike in high regard and considered it a formidable player in the cybersecurity sector. But now investors are left to wonder when CrowdStrike stock — down 35% from its peak in early July as of Wednesday — might recover. For now, it's stuck in the same market purgatory that enveloped Boeing for 737 jet defects, Chipotle Mexican Grill after a food poisoning scare and Anheuser-Busch InBev when a political backlash flared following a sponsorship deal with a transgender influencer.
"Some of the CrowdStrike customers say they are still seeing the negative impacts of the issue to some degree, the company stock price has dropped considerably and having your company name associated with 'global IT outage' is never a good thing," said Kelcey Kintner, senior vice president at Red Banyan, a global crisis management firm based in Fort Lauderdale, Fla.
Alex Henderson, a CrowdStrike stock analyst at Needham Securities, told Investor's Business Daily the company enjoyed a strong reputation before the outage.
"CrowdStrike has one of the best security platforms on the planet," he said in an interview. Henderson later added: "It's painful to see that happen to a good guy."
CrowdStrike Stock Crisis Rooted In 'Blue Screen Of Death'
A corporate adage says it takes years to build a reputation and only minutes to unravel it. That was the case on the morning of July 19.
Millions of workers in a multitude of industries reported to their jobs that day, only to find what is called the "blue screen of death" on their computers. The screen shows up when Microsoft's ubiquitous Windows operating system gets stuck.
It all started when CrowdStrike issued an automatic update to its Falcon Sensor security software. The update was meant to detect "novel attack techniques that may abuse certain Windows mechanisms," the company says. It turns out the software didn't sit well with Windows.
The defect tucked itself away in a part of an update known as Rapid Response Content for Channel File 291. In a summary of the incident, CrowdStrike says it first installed a new sensor in February, and started circulating it in March. It says it updated the program three times in April.
How CrowdStrike Update Crashed Systems
Then on July 19, CrowdStrike delivered another update to the program. The trouble occurred because the sensor expected 20 of what are known as "input fields," but the update provided 21.
"In this instance, the mismatch resulted in an out-of-bounds memory read, causing a system crash," the company said in a written report on the incident. "Our analysis, together with a third-party review, confirmed this bug is not exploitable by a threat actor."
The outage struck an estimated 8.5 million computers across the globe. Factories, banks, hotels, retailers all felt the impact. So did emergency services and government offices.
For many, rebooting only reintroduced the error to their computers, leaving users with the same blank blue screen for hours.
CrowdStrike says that by 8 p.m. ET, roughly 99% of all Windows sensors were back online.
CrowdStrike Corporate Crisis: Award For 'Most Epic Fail'
The CrowdStrike incident went down as the biggest global tech outage ever, according to numerous accounts.
In a statement released the day of the outage, Chief Executive George Kurtz said: "I want to sincerely apologize directly to all of you for the outage. All of CrowdStrike understands the gravity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority."
Meanwhile, the company's president, Michael Sentonas, offered a lighthearted moment at a recent industry conference when he accepted a trophy for the industry's "most epic fail." It's sort of the equivalent of an actor accepting a Razzie award.
"Definitely not the award to be proud of, or saving," Sentonas told the crowd at the Def Con show in Las Vegas. "I think the team was surprised when I said straight away that I would come and get it. We got this horribly wrong. We've said that a number of different times."
Sentonas said he would take the award back to the company's headquarters in Austin, Texas, and display it prominently.
"I want every CrowdStriker who comes to work to see it because our goal is to protect people," he said. "We got this wrong and I want to make sure everybody understands these things can't happen."
Airlines, CrowdStrike Stock Take A Hit
Perhaps no industry felt the impact more than airlines. Carriers canceled an estimated 3,000 domestic flights that day and delayed another 11,000. The trouble persisted for a few more days, with more than 40,000 more flights either canceled or delayed.
And the one that probably suffered the most was Delta Air Lines. The Atlanta-based carrier canceled more than 6,000 flights over five days, disrupting the travel plans of 1.3 million customers. Delta has estimated the outage cost it at least $500 million.
As for CrowdStrike itself, shares peaked at an all-time intraday high of 398.33 on July 9, 10 days before the crisis. That was up 177% from the same date in 2023. It was one of the market's big winners, far outpacing the S&P 500's 27% gain.
CrowdStrike stock rapidly deflated after the outage and ultimately recorded a 39% plunge for the month. It has crept up over the last two weeks and now sits 35% below its peak.
Whether the CrowdStrike debacle will rank among infamous corporate stumbles of the past remains to be seen. Some CrowdStrike stock analysts on Wall Street are certain it won't fall into the same trap that has crippled other tainted names.
Better Off Than Boeing And Wells Fargo
"Compared with Boeing, this is going to be a flash in the pan," said Needham Securities' Henderson. The problems plaguing the aircraft-building behemoth have persisted for more than five years.
Boeing's long PR nightmare began in late 2018 and early 2019 with two fatal crashes involving the company's new 737 Max jet. The company grounded the fleet of planes for 20 months. But Boeing's problems didn't end there.
Last year, Boeing discovered improperly installed bulkheads in the planes. Then in January this year, an emergency exit door ejected from an Alaska Airlines flight, causing the 737 Max's cabin to decompress. All told, problems with the jet have cost Boeing billions of dollars.
"The problem Boeing has, is (that) it's burning lots of cash," Henderson said.
Deborah Hileman, chief executive of the Institute for Crisis Management, based in South Bend, Ind., noted another example of a long-lasting, crippling corporate crisis at banking giant Wells Fargo starting in 2016.
The U.S. Justice Department said that over a period of 14 years, Wells Fargo pressured employees to meet unrealistic sales goals. It said that led to the creation of millions of accounts and products under false pretenses, creating fake records and misusing customer identities.
"There was this big massive earthquake with lots of aftershocks over the years," Hileman said in an interview.
Wells Fargo is now on its third CEO since the crisis surfaced. It settled charges with the Justice Department for $3 billion in 2020.
The Gold Standard In Corporate Crisis Management
Many agree that the gold standard for crisis management came in 1982 when Johnson & Johnson dealt with containers of pain relief medication Tylenol that were maliciously laced with cyanide, killing seven people.
Though the pills were discovered in only the Chicago area, J&J recalled all Tylenol bottles off store shelves throughout the U.S., drawing praise for its decisive action.
"It probably launched the crisis management industry," Hileman said.
Still, Hileman contends that J&J didn't perform as well when it came to handling more recent issues with its talcum powder products, which were found to contain carcinogenic asbestos. It took some time before the company settled with litigants and agreed to stop making its talcum products earlier this year.
"It's clear to me they no longer follow the principles they had in 1982," Hileman said.
How CrowdStrike Is Coping With Crisis
How well is CrowdStrike handling its crisis management? The company is getting high marks for its quick response, even as issues lingered for many customers. But Hileman and Red Banyan's Kintner agree that CrowdStrike handled initial communications poorly.
Hileman contends that CrowdStrike should have been more empathetic to its stakeholders — essentially anyone affected by the outage — and could have communicated more effectively with those not well-versed in tech talk.
Kintner says CrowdStrike did take to social media and created a blog page.
"But they needed to go further — apologizing to everyone whose lives were very much impacted," she said in written responses to IBD.
'Focus On Lessons Learned'
CrowdStrike contends it did try to reach all those affected.
"We have continually expressed our regret and apologies to customers, travelers and everyone impacted by this incident and for the disruption that resulted. George Kurtz himself first delivered this message on the Today Show at approximately 7:30 a.m. ET on July 19th," the company said in a written statement.
It went on to say: "CrowdStrike's focus continues to be on using the lessons learned from this incident to better serve our customers."
Kintner says CrowdStrike sits in a unique position compared with other companies contending with crisis management. For one, it doesn't deal directly with the public like Chipotle or Budweiser. Chipotle dealt with a food contamination crisis in 2015. Budweiser faced a crippling boycott last year over commercials for its Bud Light brand featuring a transgender woman.
"Even though there were a ton of outwardly angry individuals on social media who were directly affected (by the CrowdStrike outage), it's a lot easier to stop eating Chipotle or drinking Budweiser than it is for the average person to lash out against CrowdStrike," she said.
Wall Street Mixed About Effects On CrowdStrike Stock
The reaction among CrowdStrike stock analysts on Wall Street remains mixed. While some lowered their price targets on the company's stock, others still praise the company.
"I would definitely give them higher marks," Trevor Walsh, analyst at Citizens JMP Securities, told IBD. He noted many companies recovered from the IT outage the same day. He says the incident resulted in an effective "fire drill" on handling a widespread tech emergency, thanks to the fact there was no security breach.
In a note to clients Aug. 6, Piper Sandler analyst Rob D. Owens actually upgraded CrowdStrike shares to "overweight" status. He said: "While customers will be upset, we believe the company has performed to the best of its ability to restore goodwill through both its transparency and actions."
But several analysts cut their price targets, noting that CrowdStrike faces renegotiations with its customers. Wedbush analyst Taz Koujalgi said in a July 23 client note that CrowdStrike customers could force the company to give discounts of as much as 40%. He said nearly half the deals up for negotiation this quarter face possible delays.
He added, though, that "evaluating and selecting a new vendor is a long process, and (CrowdStrike's) loss might not result in an immediate benefit for any other vendor."
Limited Liability For CrowdStrike Stock?
One thing possibly working in CrowdStrike's favor is the limited liability clause it includes in all its contracts. Citizens JMP's Walsh says software makers routinely include clauses in their pacts shielding them from liability for lost revenue due to unforeseen software failures.
That could come in handy for CrowdStrike stock, particularly in the case of Delta Air Lines.
Many analysts expect Delta to seek at least the $500 million in damages it blames on the outage from both CrowdStrike and Microsoft. The carrier recently hired noted civil lawyer David Boies to handle its case.
Boies has handled a number of high-profile cases, including former Vice President Al Gore's contest of the 2000 presidential election. Delta also wrote a letter to the company threatening legal action on July 29.
Neither Delta nor Boies responded to requests for comment. But Walsh thinks the limited liability issue could be a huge hurdle for Delta.
"The limits on liability are pretty explicit in these agreements," Walsh said.
CrowdStrike's Response To Delta Air Lines
In a letter responding to Delta dated Aug. 4, CrowdStrike attorney Michael B. Carlinsky refers to its limited liability clause and contends the company's liability stops at the "single-digit millions" — essentially the equivalent of the CrowdStrike-Delta contract.
Carlinsky noted that CrowdStrike continually offered aid to Delta, but the airline refused.
"As I am sure you can appreciate, while litigation would be unfortunate, CrowdStrike will respond aggressively, if forced to do so, in order to protect its shareholders, employees, and other stakeholders," Carlinsky said in the letter.
Others see further litigation as inevitable to some degree for CrowdStrike. Needham's Henderson includes Delta in that mix.
"Delta is going to sue them," he said. "I wouldn't be surprised if other people sue them."
Red Banyan's Kintner added: "It's definitely going to be a hot minute. Delta and CrowdStrike are now lashing out at each other publicly, and potential litigation just continues the crisis from a PR perspective."
CrowdStrike Stock And The Long Road To Recovery
Analysts and crisis management counselors agree potential litigation stands as one element that will prevent the company, and CrowdStrike stock, from completely recovering for some time.
The company contends it is operating as normal.
"There has been strong support from our customers and industry partners, for which we are grateful," the company said. "Our interactions have focused on greater collaboration and how we can work together as an industry to build more resilient systems for the future."
But Needham's Henderson likened the CrowdStrike situation to that of Chipotle. He noted that it took more than a year for Chipotle to fully reassure customers on food safety.
Chipotle shares did eventually get back to where they were before the 2015 crisis. But that took nearly four years.
Henderson sees CrowdStrike stock getting back to its former heights in about two years. Red Banyan's Kintner agrees that the company can get back to its former standing, but it will take time.
"CrowdStrike needs to take the high road, continue to take responsibility for the part they played in all this and express empathy to everyone affected," she said. "They can push through this. But this is a marathon, not a sprint."
Editor's Note: This story has been updated to correct the spelling of Kelcey Kintner and to correct a quote from CrowdStrike President Michael Sentonas.
