Two Lawsuits Filed Against Lenovo Over Superfish Scandal

News
By Rexly Peñaflorida
published

Lenovo's Superfish adware drew a lot of anger and criticism last week to the point where the software was immediately disabled and the company promised it would not upload it in future releases. Even with Superfish disabled and Lenovo's assurance that there were no vulnerabilities associated with the software, the effect on affected products is irreversible. In the wake of the incident, a class-action lawsuit was filed against Lenovo last week which could put the company in jeopardy.

The class-action suit, with blogger Jessica Bennett as the plaintiff, was filed at the U.S. District Court in the Southern District of California. Bennett claims that Lenovo invaded her privacy and made a profit by keeping track of her online browsing.

She initially noticed the problem when she wrote a blog post for a client's website with the website featuring spam ads "involving scantily clad women." Further investigation by Bennett on other websites showed more pop-up ads, which led her to believe her Yoga 2 was compromised or contained spyware. She eventually found the source on the Lenovo forums in the form of the company's Superfish software.

Superfish worked by placing ads in search engines and other websites without the user's permission. It also made secure connections vulnerable because of the company's own root certificate, which would replace a secure site's own certificate. Even though the software is now deactivated, those who had Superfish on their Lenovo devices are still vulnerable to hackers who can monitor user traffic and steal important banking credentials.

Another law firm also opened up a class action lawsuit against Lenovo and is encouraging customers to reach out if they want to participate. Both cases are still in their early stages, so the process could take some time before Lenovo gets its day in court. But with Lenovo potentially fighting a legal battle on two fronts, the company seems to be taking a turn for the worse, with the trust of customers slowly fading away.

Follow Rexly Peñaflorida II @Heirdeux. Follow us @tomshardware, on Facebook and on Google+.

Rexly Peñaflorida
14 Comments Comment from the forums
  • thundervore
    And the lawsuits begin. I bet most of the people complaining about privacy invasion are freely giving this information away on Facebook, Twitter, Instagram and other social sites.

    Honestly, this will not put Lenovo in jeopardy. Major corporations who use Lenovo hardware wont care as they wipe the machines and place their own image on them and that makes up a bulk of their sales compared to the average customer buying a Lenovo laptop from Best Buy or Amazon.
    Reply
  • Spoogemonkey
    These types of breach of public trust issues are very difficult to overcome in the eyes of consumers. As well they should be.

    You can do a lot of crazy <mod edit> as a company and get away with it. This isn't one of them.

    <Moderator Warning: Let's watch the language in these forums>
    Reply
  • surphninja
    I support a number of users at the local district attorney's office that use Lenovos, and they are livid that so much confidential information could have potentially been compromised.

    I wonder how many other government agencies and corporate customers were potentially affected. The hammer is going to come down hard on them for this.
    Reply
  • burmese_dude
    Good. I hope Lenovo gets every penny stripped for pulling a stunt like that. First thing they should've done was to apologize and let the public know the clown/executive who thought this was a good idea has been fired with a kick in the behind.
    Reply
  • therealduckofdeath
    surpninja? more like spinninja....
    It's adware, not rootkits.

    Furthermore, I don't know of a single government institution that doesn't use a custom install on their PC's. For this and many other reasons.
    Reply
  • d_kuhn
    This is the clearest case of a company negligently putting their customers private information at risk in the name of making a buck I've ever seen... they're defeating secure http and sending users encrypted data (like banking data) insecurely just so they can inject sleazy adverts in your browser. Wow... just wow.
    Reply
  • NotProfit
    therealduckofdeath.... just how many government agencies have you been involved with? Even the department of defense had these floating around. Stupid? Yes. Unsafe? Oh yeah. Negligence on the part of the consumer? Sure.

    Is Lenovo really responsible? Hard to say.... but I do know it's ridiculous to say the consumer is at fault for not buying a second OS license key when they've already paid for the first one, and no, the key that comes with your Lenovo can't be activated on a new fresh copy of Windows, not even over the phone. Only the included disk (or downloaded from Lenovo FTP) which still has superfish. Just my experience over the last month.
    Reply
  • surphninja
    15356623 said:
    Furthermore, I don't know of a single government institution that doesn't use a custom install on their PC's. For this and many other reasons.

    There are many different circumstances in which a government pc would use the factory image. I'm not going to get into the details on exactly what happened in this case, but you should call Lenovo and ask what's necessary to transfer the license to a new image. Good luck.
    Reply
  • I think that Lenovo is about to figure out just saying "there's no problem" just isn't going to cut it.

    I'm pretty sure most of their business comes from corporations, which just aren't going to put up with this. It doesn't matter if this was on consumer laptops only. A reputation is pretty easy to destroy, and this has just done it.
    Reply
  • therealduckofdeath
    I've worked for both Dell and HP in the past. The public sector doesn't walk into the local store to buy a new lappie with the pre-installed OEM software, for the new guy. They buy them in bulk, and these days the manufacturers even offer custom preloaded installs in those cases they don't feel like doing that themselves. They also usually follow a strict software policy like ITIL, where nothing not extensively tested is allowed on their computers.

    I know it's fun to spread FUD on the internet. Because you can come up with any wild anecdotal story and say it's "facts".
    Reply