Leadership In Crisis: The Crowdstrike PR Response

In the high-stakes cybersecurity sector, even the most robust systems can experience sudden disruptions — often with serious, but temporary PR implications for the companies involved. But few expected that a routine update at Crowdstrike, a leader in endpoint security, could provoke the disaster that resulted last Friday. The Windows OS crash triggered by the faulty update disrupted airline reservation systems, financial institutions, and even hospital care. It was then up to Crowdstrike CEO George Kurtz to respond to the crisis.

Swift acknowledgment and ownership of the crisis is key

Crowdstrike’s response came as a status post on X.  The post identified the problem, making it clear that it was not the result of a cyberattack or security breach. It referred customers to a support portal for updates and assured them that Crowdstrike was mobilized to ensure “security and stability” for customers. In my view, it was a swift, effective, and relatively transparent first step in engaging with key customers.

Many criticized Kurtz harshly for the lack of apology after the incident. But in the moments after such an outage, customers aren’t looking for an apology. They’re looking for the fix. And while that’s happening, they need to know what’s behind the incident (and what’s not behind it) and, most of all, what to do. Those boxes were checked.

Language matters

Fast acknowledgment is critical in crisis management, as it helps to mitigate speculation and rumors, giving key stakeholders a clear account of the situation. So is language. Words and phrases must be chosen with utmost thoughtfulness, even under pressure. Within hours of the outage, Kurtz took to multiple media platforms, acknowledging the incident and expressing regret for… “the inconvenience.”

Now, “inconvenience” is a terrible word. It’s what the recording says when you’re on hold with the pharmacy, or what the airlines say when the flight is delayed. It’s not what you say after your technology strands thousands of travelers and potentially places surgical patients at risk. To his credit, Kurtz seemed to realize this and quickly began using words like “disruption” and “impact.”

Overall, Kurtz handled his media interviews with calm (notwithstanding the distraction of his exquisitely gelled hairstyle.) He used accessible language rather than tech jargon. He took responsibility. In broadcast engagements he provided a reasonably detailed explanation of what went wrong while managing to highlight the complexities involved in managing large-scale cybersecurity systems.

An apology takes sincerity and accountability

The Crowdstrike apology was late, but it did come, and with a reasonable degree of accountability. My motto when it comes to the perfect public apology is thisexplain, but don’t excuse. Accountability is essential to win public approval, but it can be very tricky in a crisis situation that exposes a business to legal liability.

To his credit, after the initial statement, Kurtz took a flurry of media interviews where he told a national TV audience that Crowdstrike was “deeply sorry for the impact that we’ve caused to customers, to travelers, to anyone affected by this, including our company.” His Chief Security Officer Shawn Henry went even further. “On Friday, we failed you, and for that I’m deeply sorry,” Henry said Monday in a LinkedIn post. Both seemed to have internalize another key maxim of the public apology, which is to focus on those harmed. It’s not about you.

A customer-focused approach helps

That customer-focused approach was the strongest aspect of Crowdstrike’s response. Kurtz and Henry reassured customers that their security and operational continuity were top priorities, announcing that all necessary resources were mobilzed to resolve the issue as quickly as possible. This type of outreach doesn’t ensure forgiveness, but it does let the most important audience segment know that the top guy is on the case and will not relent until it’s fixed.

Prevention matters after the fact

A key element in any crisis recovery, especially a situation that brings harm, is future prevention. Here, Crowdstrike has pledged to include additional validation checks and a stronger error handling mechanism to make sure errors from problematic content are “managed gracefully.” These and other steps will be intensely scrutinized, of course, but a proactive stance is the only way to regain customer trust and manage subsequent investigations.

Crowdstrike’s not out of the woods

Crowdstrike’s stock plummeted by 35% in value since the outage. And Kurtz is likely to be called to testify in front of Congress as it investigates the debacle and its ramifications. So, its potential rebound is just beginning, and there are many obstacles to a full recovery. But as Kurtz has seen, a serious crisis can be an opportunity to show how effective leadership can turn a terrible event into an opportunity for growth and trust-building. Watch this space.

United Flies Into A PR Storm

The public relations team at United had probably just started to breathe easy after the “leggings” mini-crisis when a second PR disaster hit. And this one’s a doozy.

Late Sunday, a United passenger who refused to give up his seat on an overbooked flight was forcibly removed from the plane by police, to the horror of other passengers. Many captured the scene on their smartphones, and the video was more shocking than the headline; the man is screaming as he is wrenched from his window seat and dragged down the aisle, his face bleeding after apparently hitting an armrest. It’s the kind of treatment you can only imagine if he were a physical threat or a terror suspect, not an ordinary passenger.

The video, which went viral by Monday morning after being posted on Facebook by another passenger, is very disturbing. But for public relations and crisis experts, United’s immediate response was also troubling. As of midday Monday, the airline had issued the following statement.

“Flight 3411 from Chicago to Louisville was overbooked. After our team looked for volunteers, one customer refused to leave the aircraft voluntarily and law enforcement was asked to come to the gate.

We apologize for the overbook situation. Further details on the removed customer should be directed to authorities.”

A poor response compounded by a second

You don’t need to be a PR professional to think this is a pretty poor response. There’s no apology for the passenger’s humiliation, inconvenience, and injury. There’s no explanation for the use of force, and in fact the statement omits the bit about dragging a screaming, bleeding man from his seat. United uses the word “voluntarily” in an interesting way (if you don’t want to volunteer, we’ll make you!) and then passes the buck to unnamed “authorities” who were clearly acting at its behest.

The first rule of a case like this is to take responsibility. The initial response amounts to an utter abdication of that. And it clearly could have been handled more skillfully. According to other passengers on the flight, the airline said it needed four seats to fly its own employees to Louisville. It offered as much as $800 and a hotel stay to anyone who would volunteer to take a later flight, but it had no takers. Technically, United was within its rights to remove passengers; nearly every ticket we buy contains small print about the risk of being bumped. But airlines typically negotiate for volunteers before the flight is boarded, not after they’re seated on the plane. More importantly, there would seem to be better ways of persuading a reluctant “volunteer” than by force.

A second statement released by United CEO Oscar Munoz on Monday wasn’t much of an improvement on the first.

“This is an upsetting event to all of us here at United. I apologize for having to re-accommodate these customers. Our team is moving with a sense of urgency to work with the authorities and conduct our own detailed review of what happened. We are also reaching out to this passenger to talk directly to him and further address and resolve this situation.”

“Re-accommodate”? Really? The statement here is vaguely worded; United seems to be apologizing to its own crew, or possibly to passengers who witnessed the incident. Its use of “re-accommodate” is positively Orwellian. It still doesn’t take any responsibility for the decision to use force or the chaos and injury that ensued. What’s more, comments by United spokesperson Charles Hobart in a New York Times interview seem to blame the passenger for refusing to leave after being asked repeatedly and – as Hobart takes pains to emphasize – politely. “We explained the scenario to the customer,” Mr. Hobart said. “That customer chose not to get out of his seat.”  United is blameless, he seems to say.

If you’re responsible, say so

Blaming others – even when it reflects the reality of a situation – is nearly always a losing proposition in a public apology. Again, the airline is technically within its rights, but it’s shocking to me that, as the video continues to be shared by social and traditional media, United has not admitted that it badly mistreated a paying passenger and mishandled a common enough situation that could have been defused with far less effort and expense. Nor has it announced that it will try to limit overbooking, or pledge to handle it differently in the future. The non-apology apologies are only fueling anger and ridicule on social media.

The airline offered up to $800 for anyone willing to give up his seat and fly later. What if it had offered more – $1000 or even $5000? If that seems expensive, look at the video, think about the outrage, and consider the reputation damage involved. And what if the airline had taken a page from Pepsi, which suffered through a different, but embarrassing and expensive mistake last week, yet handled it deftly and gracefully?

It’s hard to put a price tag on reputation. But this latest incident should make the airline and its peers straighten up and fly right, at least on the communications front. Because the harm to the United brand will far outweigh the cost of doing the right thing.

Note: After posting I read this excellent article about the power of the airline industry post-consolidation, which states that an airline can only legally compensate bumped passengers up to $1350. Even so, United should and could have handled this very differently.