CrowdStrike Broke the Internet (By Accident)

CrowdStrike Broke the Internet (By Accident)

From The Bit Baker Quarterly Roundup — Q3 2024

PLUS: AT&T loses nearly all customer call records, and 2.9 billion records leak from a data broker you've never heard of

Good morning, Dave. On July 19, the cybersecurity industry learned an uncomfortable truth: the tools built to protect the world's computers can also bring them all down simultaneously. A bad content update from CrowdStrike bricked 8.5 million Windows machines in 78 minutes, grounding flights, freezing bank transactions, and knocking hospitals offline across every time zone. It wasn't a cyberattack. It was a software bug — and it caused more disruption than most attacks ever will.

The rest of Q3 kept the pressure on. AT&T disclosed that call and text metadata for nearly all its mobile customers had been stolen via Snowflake. A background check company called National Public Data leaked 2.9 billion records, including Social Security numbers. And Transport for London got hit hard enough to burn through £30 million in recovery costs. If there's a theme to this quarter, it's that the blast radius of failures — accidental or deliberate — keeps getting bigger.

In this quarter's security Bit Baker:

• CrowdStrike update crashes 8.5 million machines worldwide
• AT&T breach exposes call records for nearly every customer
• National Public Data leaks 2.9 billion records
• Transport for London cyberattack costs £30M and counting

A Single Update Triggers the Largest IT Outage in History

The Bit Baker: At 04:09 UTC on July 19, CrowdStrike pushed a faulty Falcon Sensor configuration update — Channel File 291 — that caused an out-of-bounds memory read, crashing approximately 8.5 million Windows machines into blue screen bootloops and triggering the largest IT outage in recorded history.

Unpacked:

• The damage hit in under 78 minutes. Every Windows device running Falcon Sensor 7.11+ that pulled the update between 04:09 and 05:27 UTC crashed and couldn't reboot. Airlines grounded flights — Delta, United, American all issued ground stops. Banks went offline. Hospital systems froze. Broadcast networks went dark mid-program.
• The fix was manual: boot into Safe Mode, navigate to C:\Windows\System32\drivers\CrowdStrike, delete the offending file. At enterprise scale — thousands of machines, many with BitLocker encryption requiring recovery keys — that process took days. Microsoft estimated less than 1% of all Windows devices were affected, but CrowdStrike's customer base skews toward the 60% of Fortune 500 companies that run it.
• CrowdStrike's post-incident report revealed that a bug in their own content validation system let the defective file pass testing. The update itself was a routine threat detection rule — the kind CrowdStrike pushes daily. The fact that a single bad config file could cascade into a global outage raised fundamental questions about kernel-level security software.

Bottom line: CrowdStrike didn't get hacked. Their software worked exactly as designed — it just loaded bad data. That's arguably scarier than a breach, because it means the same supply chain trust model that makes endpoint security work can also make it a single point of failure for the entire connected economy.

AT&T Loses Call Records for Nearly Every Customer

The Bit Baker: In July, AT&T disclosed that call and text metadata for nearly all its mobile customers — covering interactions from May through October 2022 and a single day in January 2023 — had been stolen through unauthorized access to an AT&T workspace on Snowflake's cloud platform.

Unpacked:

• The stolen data includes phone numbers called and texted, call durations, frequency counts, and in some cases cell tower location data that can approximate physical location. Content of calls and texts wasn't taken, but metadata at this scale is its own intelligence goldmine.
• AT&T detected the breach between April 14-25, 2024, but the DOJ requested a delay in public disclosure until July 12 — meaning customers went months without knowing their data was compromised. AT&T reportedly paid the attacker $373,646 (via ShinyHunters) to delete the data.
• This was AT&T's second major breach of 2024, following a March disclosure that data on 73 million current and former customers — including Social Security numbers — had been dumped on the dark web from a 2019 incident.

Bottom line: When your telecom provider loses metadata for essentially every call and text you made over a six-month period, the question isn't whether you're affected — it's what someone can reconstruct from that data. Phone numbers link to identities. Call patterns reveal relationships. Location data shows movement. This is surveillance-grade information in criminal hands.

2.9 Billion Records Leak from a Company Most People Have Never Heard Of

The Bit Baker: National Public Data, a background check company, confirmed in August that hackers had stolen approximately 2.9 billion records containing Social Security numbers, full names, addresses, phone numbers, and dates of birth — one of the largest PII exposures in history.

Unpacked:

• The breach started in December 2023, with stolen data appearing on dark web markets as early as April 2024. A threat group called USDoD initially listed the 277 GB database for $3.5 million before another actor, Fenice, released the entire dataset publicly for free.
• NPD scraped personal information from non-public sources to sell background checks. Most of the 2.9 billion records belong to people who never knowingly provided data to this company — they were in the database because NPD aggregated public records, court filings, and other sources without consent.
• Multiple class-action lawsuits were filed in August 2024, alleging negligence in securing data that people never agreed to share. The lawsuits seek data purging, mandatory encryption, and ongoing cybersecurity audits.

Bottom line: National Public Data is the kind of company that exists in a regulatory blind spot — collecting Social Security numbers at scale with minimal oversight. The breach exposed not just personal data but the entire data broker business model: companies you've never interacted with hold your most sensitive information, and there's no meaningful accountability when they lose it.

Transport for London Attack Burns Through £30 Million

The Bit Baker: On September 1, Transport for London detected suspicious activity in its systems, triggering an incident response that took contactless payment systems, customer portals, and third-party API integrations offline for weeks — with total costs exceeding £30 million by year's end.

Unpacked:

• Attackers accessed a legacy system connected to Oyster card, contactless payments, and discounted travel schemes. Around 5,000 customers had bank account details (sort codes and account numbers) exposed, while millions more had personal data potentially compromised in related databases.
• Core transport operations continued — trains and buses ran — but digital services crumbled. Oyster and contactless login systems went down. Third-party apps like Citymapper lost API access. Dial-a-Ride services were disrupted. The recovery effort stretched into late 2024.
• The NCA arrested a 17-year-old from Walsall on suspicion of Computer Misuse Act offenses. The ICO closed its investigation in February 2025 without regulatory action against TfL.

Bottom line: A teenager allegedly caused £30 million in damage to London's transport authority — a figure that slashed TfL's projected budget surplus and forced trade-offs across the organization. The attack wasn't sophisticated, but it landed on legacy systems that couldn't be easily isolated or rebuilt.

The Shortlist

Volt Typhoon continued to draw urgent warnings from CISA and the FBI throughout Q3, with the Chinese APT group maintaining persistent access to US critical infrastructure — water systems, energy grids, and telecom networks — positioning for potential disruption during a future conflict.

RansomHub emerged as one of the most active ransomware groups of Q3, filling the vacuum left by LockBit's disruption and ALPHV's exit scam, and rapidly climbing the charts for total victims claimed.

Columbus, Ohio suffered a ransomware attack in July that exposed data on 500,000 residents and triggered a controversial response when the city initially downplayed the breach, then sued a security researcher who verified the stolen data was real.

Fortinet disclosed a critical FortiManager zero-day (CVE-2024-47575) under active exploitation in late September, with attackers using it to exfiltrate configuration data from managed FortiGate devices — another high-severity firewall vulnerability in a year full of them.

References

1. Falcon content update preliminary post-incident report
2. 2024 CrowdStrike-related IT outages
3. AT&T had a huge data breach — here's what you need to know
4. AT&T data breach spurs lawsuit and action from Washington
5. National Public Data breach publishes private data of billions of US citizens
6. 2024 National Public Data breach
7. TfL cyber security incident
8. TfL Transport for London data breach
9. TfL cyber attack cost over £30M to date