CrowdStrike Escapes Flyers’ IT Outage Class Action
By Craig Clough (June 20, 2025, 4:42 PM EDT) — A Texas federal judge has dismissed a proposed class action lawsuit targeting cybersecurity firm CrowdStrike Inc. This lawsuit was brought forth by airline customers who faced flight disruptions due to the severe global IT outage that occurred in July 2024. The judge’s decision was based on the determination that the claims, which were based on various state laws, are preempted by the federal Airline Deregulation Act.
The July 2024 incident was a catastrophic event that left many travelers stranded as airlines experienced a worldwide IT failure, leading to numerous delays and cancellations. In the wake of this disaster, affected passengers sought legal remedies against CrowdStrike, alleging that its cybersecurity measures were insufficient to prevent the breach that led to the outage.
CrowdStrike, a leading cybersecurity firm known for its expertise in threat intelligence and endpoint security, was implicated in the lawsuit under accusations that its negligence in securing airline IT systems facilitated the outage. However, the company contested these allegations, emphasizing that aviation regulations fall under federal jurisdiction, rendering state law claims inapplicable.
The judge presiding over this case agreed with CrowdStrike’s argument, citing the Airline Deregulation Act as the pivotal factor in the decision. This federal law, enacted in 1978, was designed to remove government control over fares, routes, and market entry of new airlines, thereby preempting state interference in these aspects. Consequently, the court found that the plaintiffs’ claims were significantly intertwined with airline regulation, leading to their dismissal.
The dismissal of this case underscores the complex intersection of technology, regulation, and commercial air travel. The outcome reinforces the overarching authority federal laws hold over state claims in matters related to airline operations and associated services.
Although the ruling distances CrowdStrike from legal liability, it shines a light on the evolving challenges within the cybersecurity landscape, particularly concerning critical infrastructure and services. As cybersecurity threats become increasingly sophisticated, the need for robust defenses intensifies alongside a deeper examination of legal frameworks governing responsibility and accountability in such incidents.
For the affected passengers, this decision may come as a disappointment, as the ruling eliminates one potential avenue for recourse. Nonetheless, it also highlights the need for enhanced collaboration between technology firms, government bodies, and the airline industry to bolster defenses against similar future incidents.
In conclusion, while CrowdStrike’s exoneration from this class action lawsuit alleviates its immediate legal pressures, the broader implications call for ongoing vigilance and adaptation in both cybersecurity approaches and legislative measures. Airlines and associated service providers need to persist in strengthening their digital defenses to protect against disruptive cyber events while ensuring compliance with existing federal regulations.
