Opinions Blog
Insights from our leadership
Passengers at airport
  • Passenger experience
  • Regulations
30 July 2024

The CrowdStrike IT Outage Carries Lessons for Regulators

By Willie Walsh, IATA's Director General

The CrowdStrike IT outage on Friday, 19 July crashed 8.5 million computers and many critical systems worldwide ground to a halt. Businesses as diverse as Sky News, healthcare providers, and the State Bank of India were affected. It was the largest such outage in history, ironically far exceeding the worst any hack has succeeded in achieving.

It was not an aviation crisis but queues of people waiting at airports made for the most telegenic news reports trying to put a human face on the extraordinary events that unfolded.

Travelers were hit hard as it was one of the busiest weekends in the peak northern summer travel season. With systems managing everything from booking, to check-in, baggage and crew scheduling impacted, many airlines and airports were disrupted.

By Friday mid-afternoon CET, nearly 36,000 flights had been delayed and by the end of the weekend, around 10,000 had been cancelled worldwide. Fortunately, travelers for the most part seemed to understand that this was completely beyond airlines’ control and were very patient as CrowdStrike implemented fixes.

Safety was never compromised. Aircraft systems and air traffic control were unaffected. And ground crews reacted with ingenuity – using hand-written boarding passes and other documentation to keep flights moving. It was an extraordinary day, by any measure.

With just over a week’s hindsight, it is time to look at what this event has taught us.

The first lesson is humility. IT glitches happen. And they can happen on a massive scale. My initial thought is to thank travelers for their patience and all those who worked long and hard to return our world to normality. And that is quickly followed by a desire to understand how all industries could be better protected from and prepared for such failures. Indeed, questions are already being raised around the overall resilience of businesses and society to cope, which may lead to greater political scrutiny.

The second lesson is that once again, the EU 261 passenger rights regime looks ill-equipped to handle incidents of this kind. I wrote about this last year when the UK NATS system broke down. Nothing has changed since then. No one disputes that travelers need care and assistance. But why does the burden fall solely on the airlines? It was not their fault. And there were no similar requirements placed on other business sectors whose customers were affected by the CrowdStrike crisis.

In fact, EU 261 has become a business in its own right with claims farms encouraging travelers to apply for compensation. We thank the UK CAA for stating the obvious—that this was indeed an extraordinary circumstance for which compensation does not apply. Curiously, the European Commission and the other CAAs around Europe have been silent.

The fair treatment of passengers across Europe would benefit greatly if the Commission would issue similar clear and timely guidance. But it appears that nobody in Europe wants to make such a decision for fear of being contradicted by the judges in the EU Court of Justice several years down the line, which is just another indication of how broken the EU 261 framework is. According to Parametrix, the issue will cost six of the Fortune 500 airlines approximately $860 million. The failures of EU 261 just exacerbate these costs for European airlines.

IT is a fact of life. It gives travelers options that they value. It has done much to keep travel affordable and as AI spreads its wings, the potential for future improvements is ripe with potential. The final learning that I would highlight is the onus that must be on tech companies for reliability. Scale is not an excuse, it is a responsibility. The aviation industry offers a great example. Over the decades since mass air travel became a reality, we have become ever-safer and more reliable. This is the result of continual self-improvement through global standards and intense cooperation between industry and regulators. We are not perfect, but the system has proven itself robust. Perhaps it is time the IT industry adopted similar levels of humility and transparency, so that we can be evermore confident in the security and safety of our digitized world. 

We use cookies to give you the best experience on our website. We also use cookies for advertising purposes. Please see our privacy policy and cookies policy for complete information.