Risk register · entry
Q3 · EngineeredCrowdStrike outage
One faulty security update bricked 8.5M Windows machines worldwide.
Tightly coupled systems where one small fault cascades and takes down the whole machine.
Why this room
The trigger itself was mechanically simple, one flawed content file with a memory-read bug, but the payoff structure turned complex and fat-tailed the moment it hit a monoculture of kernel-privileged, tightly coupled global systems, producing a correlated, non-linear shock rather than an isolated, containable IT failure.
The record
- 8.5 million Windows devices crashed worldwidecertain
- Faulty update deployed 19 July 2024, 04:09 UTC; reverted by 05:27 UTCcertain
- $5.4 billion in direct losses to Fortune 500 companies (Parametrix estimate)likely
- Only 10-20% of Fortune 500 losses covered by cyber insurance (~$540M-$1.08B insured)likely
- Healthcare sector losses estimated at $1.94 billion, banking at $1.15 billionlikely
- Delta Air Lines cancelled 7,000+ flights over five days, ~1.3 million passengers affectedlikely
- Delta's cost estimated near $550 million ($380M lost revenue + $170M expenses per SEC filing)likely
- Delta filed a $500 million lawsuit against CrowdStrike, October 2024certain
- CrowdStrike stock fell over 11% on 19 July 2024likely
- UK economy-wide loss estimated at £1.7-2.3 billionuncertain
- About 124 Fortune 500 companies (roughly a quarter) directly affectedlikely
Sources
The book
This entry is one of 111 in the register. The full story, and what it cost the people who lived it, is in Risky Business by Claudia Zeisberger, David Munro and Joanna Reijgersberg-Siew.
Join the waiting list