Updated 24th July
Crowdstrike has released a preliminary Post Incident Review (PIR) following their investigations into the outage. They have stated that the issue ‘involved a Rapid Response Content update with an undetected error’ – this was a content configuration update designed to ‘respond to the changing threat landscape at operational speed’. While the update was checked before being published, a bug in the Content Validator meant that one element of the update passed validation despite containing problematic content data. This problematic data led to the crash.
The update additionally includes a statement from CEO George Kurtz, apologising for the outage, and warning customers of potential malicious action following the incident: ‘We know that adversaries and bad actors will try to exploit events like this. I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives.’.
Updated 22nd July
Crowdstrike has stated that a ‘significant’ number of the affected devices are now back online following the outage. They confirmed via an update on X that 8.5million Windows devices were impacted, and are focusing on ‘restoring all systems as soon as possible’.
While many systems worldwide are now back online, backlogs and delays caused by the outage mean the effects will likely still be felt for several weeks.
The outage was caused by a content update for Crowdstrike’s endpoint detection and response (EDR) software Falcon. The software monitors the device for suspicious activity, locking down any threats – meaning it is tightly integrated with the core software of the device, in this case Microsoft Windows. When the update caused Falcon to malfunction, it also caused the devices to crash and fail to reboot, leading to the ‘blue screen of death’ error screen.
Crowdstrike has given full details of what caused the incident, as well as how to access support if you are affected, on their blog.
Updated 19th July
The outage, which has impacted Microsoft Windows devices, started at about 11pm GMT on the 18th July. The cause of the outage was not initially clear, with Microsoft stating that they were investigating the problem and taking mitigation actions.
Cybersecurity firm Crowdstrike has now confirmed the issue was caused by a defect in their content update for Windows hosts. CEO George Kurtz stated ‘The issue has been identified, isolated and a fix has been deployed’.
The impact of the outage so far has included:
- Airlines and airports globally have experienced outages in their systems, causing delays and cancellations
- GP practices across the UK were unable to access patient records or book appointments
- Sky News in the UK was off air on the morning of 19th July
- UK train companies have been unable to access driver diagrams, leading to short-notice delays and cancellations
Current investigations are showing that the UK government is not experiencing issues with its own IT infrastructure.