Endpoint Security , Open XDR , Standards, Regulations & Compliance

Court Approves Lenovo's $7.3 Million Adware Settlement

Manufacturer Preinstalled Superfish Visual Discovery Adware on 800,000 Laptops
Court Approves Lenovo's $7.3 Million Adware Settlement

Memo to computer manufacturers: Never install adware on the systems you sell, especially when it's designed to intercept all browser traffic and offer unwanted price comparisons to online shoppers.

See Also: Why You Need To Own Your Data

Beijing-based PC manufacturer Lenovo learned this lesson the hard way, after it installed the "Superfish Visual Discovery" comparison-search engine software by default on its consumer laptops. When that came to light, security experts warned that the software was not only a nuisance, but that it also left encrypted traffic at risk of being intercepted by attackers (see: Lenovo Slammed Over Superfish Adware).

Nearly four years after Lenovo's adware-installation practices were spotted - and curtailed - the company has reached a settlement agreement with consumers who bought one of the affected systems, as Bloomberg Law first reported.

On Wednesday, the U.S. District Court for the Northern District of California granted preliminary approval of Lenovo's proposal to pay $7.3 million to settle 27 class action lawsuits filed against it, which in June 2015 were consolidated into a single lawsuit. Attorneys working on behalf of the plaintiffs say they will file separately to recover their costs.

Plaintiffs had alleged that the Superfish software "created performance, privacy and security issues."

The Lenovo settlement agreement was submitted to the court on July 11. "The agreements were reached under the supervision of two experienced mediators and follow three years of litigation that included wide-ranging discovery and certification of a nationwide class under California law," according to the settlement agreement.

Preinstalled on 28 Different Laptop Models

Lenovo installed Superfish on 28 Lenovo laptop models sold in the U.S. from Sept. 1, 2014, to Feb. 28, 2015, according to court documents. But this practice came to light in January 2015.

Superfish was quickly slammed by information security experts, who tested the software and found that it was not just intercepting searches and injecting its own results into browser windows. The developers behind Superfish also committed a colossal information security error by having the software install the same exact root certificate on every PC where it resided.

"This means that hackers at your local cafe WiFi hotspot, or the NSA eavesdropping on the internet, can use that private key to likewise intercept all SSL connections from Superfish users," offensive information security expert Robert Graham warned in a 2015 blog post.

Thankfully for consumers, there is no evidence that hackers exploited the flaws in active attacks before Lenovo on Jan. 18, 2015, instructed Superfish to deactivate the software at the server level.

"SuperFish intercepts HTTP(S) traffic using a self-signed root certificate. This is stored in the local certificate store and provides a security concern," Lenovo said in a security advisory it issued in February 2015, which described how owners of affected laptops could completely remove the Superfish software from their systems.

Lawsuits Targeted Lenovo, Superfish

Lawsuits were quickly filed against Lenovo and Superfish, with plaintiffs alleging that the companies had violated the Computer Fraud and Abuse Act, the U.S. Wiretap Act as well as California and New York consumer protection laws.

In October 2015, Superfish settled the class action lawsuit filed against it for $1 million, with plaintiffs saying that to have sought any more would likely have left the company bankrupt and left affected consumers unable to recover any damages. Superfish has since been dissolved.

"The Superfish settlement obligated Superfish to cooperate with plaintiffs in their continued litigation against Lenovo," according to court documents. "Superfish provided this cooperation by producing data and documents, providing technical assistance on various issues, and producing Superfish executives and employees for interviews."

In January 2016, Lenovo moved to dismiss the lawsuit against it, brought by class representatives Jessica Bennett, Richard Krause, Robert Ravencamp and John Whittle. But in October 2016, the court ruled that parts of the case could move forward, and in April, the parties reported that they'd reached a settlement agreement.

$8.3 Million Fund

As submitted to the court in July, that agreement says that Lenovo will add $7.3 million to the $1 million already paid by Superfish, making for an $8.3 million fund available to "all persons who purchased a Lenovo computer in the United States on which VisualDiscovery was installed by Lenovo," U.S. Judge Haywood S. Gilliam Jr. wrote in his Nov. 21 order granting preliminary approval of the settlement. If not all of the fund gets used, it will not revert to Lenovo, according to the agreement.

Anyone who purchased one of the affected Lenovo laptops - but not anyone who subsequently bought one second-hand - will be eligible to receive $40 as part of the settlement agreement. In addition, $300,000 of the settlement fund has been earmarked to cover any itemized claims "for reasonable out-of-pocket losses - e.g., for credit monitoring or technical support services -reasonably attributable to Visual Discovery," capped at $750 per system, according to the agreement.

Lenovo says 800,000 U.S. consumers purchased a laptop that had Superfish preinstalled. Of these, Lenovo says that 500,000 registered their devices with Lenovo or purchased them from such retailers as Amazon.com and Best Buy; they will be contacted directly. The others will be targeted via online advertising, including via Facebook and Twitter.

Lenovo systems on which Superfish Visual Discovery software was installed, which were sold from Sept. 1, 2014, to Feb. 28, 2015. (Source: Settlement agreement.)

Follows FTC Settlement

Separately, Lenovo last year reached a $3.5 million settlement agreement with the U.S. Financial Trade Commission and 32 state attorneys general (see: Lenovo, FTC to Settle Superfish Adware Complaint).

As part of that agreement, in which Lenovo also admitted no wrongdoing, the company agreed to get consumers' consent before preinstalling any advertising software on systems it sells, as well as to never misrepresent any software features. It also agreed to develop a security program, to run for 20 years, to review all software that it preloads onto its laptops.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.