CrowdStrike Exec Apologizes Before Congress for Glitch Behind Global IT Outage

‘A global IT outage that impacts every sector of the economy is a catastrophe that we would expect to see in a movie,’ committee chair Mark Green said.

A senior executive at the cybersecurity firm CrowdStrike apologized during a congressional hearing on Sept. 24 for a faulty software update that caused a worldwide IT outage in July.

Adam Meyers, senior vice president for counter-adversary operations at CrowdStrike, issued the apology during a hearing before the House Homeland Security Cybersecurity and Infrastructure Protection subcommittee.

Meyers said that the Austin-based company is “deeply sorry this happened” and that it is “determined to prevent this from happening again”

July’s global outage occurred due to an undetected error in a software update issued for Windows in a security system called Falcon, which is produced by CrowdStrike, the company has said.

It caused millions of computers running Microsoft Windows to crash, impacting multiple industries around the globe, including banks, healthcare, media companies, and hotel chains. It also led to flight cancellations worldwide.

“We have undertaken a full review of our systems and begun implementing plans to bolster our content update procedures so that we emerge from this experience as a stronger company,” Meyers said.

As of July 29, approximately 99 percent of customers’ systems were back up and running, the CrowdStrike senior exec stated.

Lawmakers during the hearing referred to July’s incident as the largest IT outage in history and said it demonstrates how global networks are increasingly interconnected.

“A global IT outage that impacts every sector of the economy is a catastrophe that we would expect to see in a movie,” Rep. Mark Green (R-Tenn.), who chairs the House Homeland Security Committee, said. “It is something that we would expect to be carefully executed by a malicious and sophisticated nation-state actor.”

Meyers said the incident was caused by a CrowdStrike “rapid response content update” and it “was not a cyberattack from foreign threat actors.”

His comments echoed those in a preliminary post-incident review issued by CrowdStrike in August in which the company said an internal and third-party analysis found the bug discovered during July’s update is “not exploitable by a threat actor.”

The Tennessee representative said that while “mistakes can happen” we “cannot allow a mistake of this magnitude to happen again.”

“In this case, CrowdStrike’s Content Validator used for its Falcon Sensor did not catch a bug in a channel file,” Green said. “It also appears that the update may not have been appropriately tested before being pushed out to the most sensitive part of a computer’s operating system.”

Companies must implement the strongest cybersecurity practices possible, Green said.

“I can assure you that we will take the lessons learned from this incident and use them to inform our work as we improve for the future,” Meyers told the hearing.

CrowdStrike is currently facing a class action suit from its shareholders over the outage. The shareholders allege the firm defrauded them by concealing how its inadequate software testing created a “substantial risk” that could lead to a global computer outage.

A departure board shows canceled flights at the Detroit Metropolitan Wayne County Airport, on July 20, 2024, in Detroit, Michigan. (Joe Raedle/Getty Images)
A departure board shows canceled flights at the Detroit Metropolitan Wayne County Airport, on July 20, 2024, in Detroit, Michigan. Joe Raedle/Getty Images

That lawsuit also notes that CrowdStrike’s share price fell 32 percent in the 12 days that succeeded the outage, wiping out $25 billion of market value.

When the lawsuit was filed, CrowdStrike said the case lacks merit.

Speaking at the time of the outage, CrowdStrike chief executive George Kurtz said: “We identified this very quickly and remediated the issue.”

He added that its systems were constantly being updated to ward off “adversaries that are out there”.

Last month, CrowdStrike reduced its revenue forecasts for 2025 to between $3.89 billion and $3.90 billion, down from its prior expectations of $3.98 billion to $4.01 billion.

CrowdStrike’s chief executive officer and co-founder, George Kurtz, said the company emerged more resilient in the wake of July’s outage and will continue to aggressively invest in innovation.

“Our vision and mission of stopping breaches remains unchanged,” Kurtz said.

Stephen Katte and Reuters contributed to this report.