Skip to main content

The ‘largest outage in history’, that’s how last month’s CrowdStrike IT incident has been described, which saw 8.5 million Windows devices crash with waves of blue screens across many industries ranging from airports to broadcasting.

Initial fears were of a massive cyber-attack impacting millions of users but, within hours, the root cause was found to be an update patch pushed out by CrowdStrike (a major IT security provider). 

Once the error was discovered a fix was released when the error in the patch was discovered, but by this time many affected computers had to fixed manually, which meant that services across the globe continued to be disrupted for some time.

What Happened?

Early in the morning of the 19th July, CrowdStrike released a problematic configuration update for its Falcon sensor software on Windows PCs and servers. The update introduced a change in a configuration file that monitored named pipes, Channel File 291, leading to an out-of-bounds memory read in the Windows sensor client, which caused an invalid page fault. This update resulted in machines either getting stuck in a bootloop or booting into recovery mode. In short, this is technical speak for the computer was unable to start up properly.

Subsequently, Windows virtual machines on the Microsoft Azure cloud platform began rebooting and crashing. The problem affected systems running Windows 10 and Windows 11 with the CrowdStrike Falcon software installed. Most personal Windows PCs were not impacted, as CrowdStrike's software is predominantly used by organisations and businesses. The software did not offer users an option to delay the installation of its content updates.

CrowdStrike rolled back the content update within a couple of hours, and devices that booted up after the rollback were not impacted.  However, the damage had been done, and millions of systems across the world were unable to function.

What Were the Effects?

The airlines were one of the worst affected industries: over several days, 5,470 Delta Airline flights had to be cancelled, which was more than the total number of cancellations in 2018 and 2019 combined. Meanwhile, closer to home in the UK, GPs were forced to resort to pen and paper to serve patients, and access to critical information was restricted.

Potential Repercussions

Cyber Insurance Premiums

According to S&P, cyber risk coverage is one of the insurance industry's fastest-growing segments. Global premiums are projected to exceed $20 billion by 2025, up from nearly $15 billion in 2023.

The fear of ransomware is leading to a greater take-up of cyber insurance by small and medium-sized enterprises but what happens when a error rather than malicious activity is  responsible for the largest digital blackout in history? Many insured organisations have already submitted notices of circumstances, but the claims process remains in its early stages. A report by insurance firm Guy Carpenter estimates that fewer than 1% of companies worldwide with cyber insurance have been affected.

Findings from the Guy Carpenter report also suggests that the CrowdStrike event will not lead to significant losses for most insurance companies. However, this could change depending on the policy language adopted by insurers, the concentration of underwriting in various industries, and the uptake of coverage for system failures.

Excluding Microsoft, a report by Parametrix, released in late July, estimates that Fortune 500 companies will face a direct impact of $5.4 billion from the disruption. Moody’s noted that most of the insurance losses will come from business interruption claims.

The chaos and resulting costs of this incident may change future cyber insurance coverage , but this is hard to predict.  Cyber insurance is mainly sought to mitigate cyber-attacks but insurance companies may now need to adjust their models to account for smaller, more frequent, yet catastrophic events.  Whether this will eventually impact and increase the cost of premiums remains to be seen.

Phishing Campaigns

National cybersecurity agencies worldwide advised organisations and individuals to exercise caution regarding malicious communications about the recent CrowdStrike IT issue.

There was a surge in fake ‘typo-squatting’ domains intended to exploit individuals who mistyped ‘CrowdStrike’ in their web browsers. Malicious websites and unofficial codes were circulated, falsely claiming to help recover from the outages.

The CrowdStrike incident itself was not caused by a malicious attack. However, cybercriminals exploited the resulting confusion and concern by launching targeted attacks. These attacks included phishing campaigns designed to trick users into downloading malware and compromising their credentials. Additionally, social engineering attacks were reported, where criminals posed as IT personnel to deceive individuals into downloading harmful software or paying for fake support.

These attacks are not unique or surprising, but this swift response by scammers and cybercriminals demonstrates yet again how any opportunity is exploited to target businesses and the greater public.

UK Third-Party Supplier Regulation

As announced in the King’s Speech, the UK government is looking to push forward with the Cyber Security and Resilience Bill. It is hoped, the Bill will strengthen the UK’s cyber defences and ensure that critical infrastructure and the digital services, which companies rely upon, are secure.

As part of this, special consideration has been given to attacks on suppliers, with the recent Synnovis attack that affected London Hospitals highlighted as an example of the vulnerability of critical sectors through the supply chain.

The chaos resulting from this CrowdStrike error is another example of the vulnerabilities and risks that arise from the relationship between modern organisations and their suppliers.   It is therefore increasingly likely that there will be a requirement for all businesses to consider their supply chains to determine whether they fall within the scope, even indirectly, of the new stricter cyber security requirements.

Conclusion

CrowdStrike’s mistake serves as a stark reminder of the fragility of our digital infrastructure. The unprecedented scale of this incident, impacting over 8.5 million devices and causing widespread disruptions across various industries, shows the importance of robust cybersecurity measures and consideration of third-party risk.

As the immediate technical issues were addressed, the broader ramifications continue to unfold, from potential increases in cyber insurance premiums to the possible effect on regulatory reforms in the UK. Moreover, the exploitation of such crises by cybercriminals through phishing campaigns and social engineering attacks further complicates the recovery efforts and emphasises the need for heightened vigilance after a cyber incident.

As businesses and governments grapple with the long-term effects, this incident will likely shape future cybersecurity policies, insurance models, and resilience strategies, reinforcing the need for continual adaptation in the face of evolving cyber threats.