Intel Targeted By 32 Lawuits For Meltdown And Spectre Vulnerabilities, Alleged Insider Trading

The Meltdown and Spectre vulnerabilities have left the world's computers exposed to perhaps the most pervasive security vulnerability of our time, but they have also left Intel and the other companies involved exposed to lawsuits. 

Intel filed its annual report with the U.S. Securities and Exchange Commission today, and a section buried in the document explains that the company has come under fire from 30 consumer class action lawsuits and two securities class action lawsuits because of the vulnerabilities.

Intel explains that the 30 consumer class action plaintiffs "claim to have been harmed by Intel's actions and/or omissions in connection with the security vulnerabilities" and seek monetary damages and equitable relief.

The two securities class action plaintiffs are shareholders who "allege that Intel and certain officers violated securities laws by making statements about Intel's products and internal controls that were revealed to be false or misleading by the disclosure of the security vulnerabilities." These lawsuits likely center on the fact that Intel, and the rest of the industry, kept the vulnerabilities under a shroud of secrecy as they worked on patches. Intel also continued to release new products, such as Coffee Lake, that were vulnerable to Meltdown and Spectre without divulging that they were selling potentially compromised products, which has been a common complaint.

Given the procedural posture and the nature of these cases, including that the proceedings are in the early stages, that alleged damages have not been specified, that uncertainty exists as to the likelihood of a class or classes being certified or the ultimate size of any class or classes if certified, and that there are significant factual and legal issues to be resolved, we are unable to make a reasonable estimate of the potential loss or range of losses, if any, that might arise from these matters.

Intel believes the cases have no merit, of course, and says it intends to defend itself vigorously. The company also acknowledges there may be more lawsuits lodged against it and that it cannot predict the long-term financial impact to its business. This seems to foreshadow a change to the messaging--the company has repeatedly said that it does not expect any material impact to its businesses.

It seems that the legal action is also ensnaring Intel CEO Brian Krzanich. The document outlines two more legal actions:

In addition to these lawsuits, in January 2018, Joseph Tola, Joanne Bicknese, and Michael Kellogg each filed a shareholder derivative action in the Superior Court of the State of California in San Mateo County against certain members of our Board of Directors and certain officers. The complaints allege that the defendants breached their duties to Intel in connection with the disclosure of the security vulnerabilities and the failure to take action in relation to alleged insider trading. The complaints seek to recover damages from the defendants on behalf of Intel.

The statement does not specifically mention Krzanich, but we know he has come under fire for his trading activity before the disclosure, and a U.S. senator, among many others, has also called for an SEC investigation into his activities. Now it appears that certain board members are also under fire for inaction on investigating possible insider trading.

Unfortunately, the saga continues to unfold on the vulnerability front. Researchers recently uncovered new variants that are covered by the recent patches, but the discovery shows how easy it is to develop new variants based on the fundamental principles behind the current vulnerabilities. That means that new 'strains' may emerge soon that aren't mitigated by the current patches.

It's notable that these current lawsuits could see the company easily eclipsing its previous $475 million charge for the Pentium FDIV bug in 1994 and the $700 million charge for the Cougar Point chipset issues in 2011. Intel has also not disclosed which customers have instituted these legal actions, but any legal action from a Super Seven data center customer, such as Google, Microsoft, or Baidu, could spell tremendous trouble for the company.

Intel is also contending with the distributed nature of the lawsuits, which are taking place in several countries and jurisdictions. The company will undoubtedly be untangling the legal mess for years to come. AMD has also come under fire from two lawsuits that we are aware of, but it wouldn't be surprising to see the company issue a similar statement soon.

Paul Alcorn
Managing Editor: News and Emerging Tech

Paul Alcorn is the Managing Editor: News and Emerging Tech for Tom's Hardware US. He also writes news and reviews on CPUs, storage, and enterprise hardware.

  • redgarl
    AMD is having a bunch to, however, I would be surprise if anyone can apply for them. We are talking about a 0.15$ drop for the particular day in the share and you can only apply if you lost more than 100k$.
  • nuvon
    People just want to make quick money.
  • valeman2012
    Intel knew about it more 1 year for sure, and they choose to safely advertise Kaby Lake and Coffee Lake CPUs to the shop.

    AMD also knew about for years too, but the AMD prevented security bug-Meltdown quietly which leaves them to Spectre lawsuits after being careless.
  • Heloc
    This is all pretty boiler-plate language in a company's annual report. Everyone who deals with those reports knows that that important stuff is always in the footnotes and, in fact, the document is mostly the footnotes.

    Any publically traded company is required to disclose any lawsuits or regulatory activity that might have a material effect on their financial statements.

    You'll know that Intel knows they're screwed when you see a liability show up on their balance sheet for an estimated settlement while the case is still making it's way through the courts.
  • hixbot
    Of course they kept the vulnerabilities secret. If they announced the vulnerabilities before patches were available, they'd be opening the door to criminals. They probably should have delayed new hardware sales, however.
  • Heloc
    20717622 said:
    Of course they kept the vulnerabilities secret. If they announced the vulnerabilities before patches were available, they'd be opening the door to criminals. They probably should have delayed new hardware sales, however.

    Right on. I can come up with plenty of explanations for why intel did what they did where they were operating in good faith except that they kept selling a product they knew to be vulnerable. That's just to protect their profits. I mean, even that isn't like, totally evil as their still looking out for their employees and stock holders (and many of the employees are stock holders too) but the way it's supposed to work is that the company takes care of the customers and the customers help the company take care of everyone else.
  • berezini.2013
    This looks bad for cpu business all together. if Intel crashes and burns to hell there would only be AMD which has really bad efficiency rating. Every release AMD has ever made with a new launch people that bought into it have suffered one way or another. The only way not to see it is to cover up your eyes and be ignorant.
  • phobicsq
    These companies need to be held accountable for this. Sadly all the people will see little money from the suit that will likely take years. Large companies have a great solution in the US as they can basically do what they want because thru can afford to pay damages. The pharmaceutical industry has been making fines and lawsuits a part of doing business for a long time.
  • therealduckofdeath
    I can't see anyone with a processor older than 2017 standing a chance getting anything. Depending on when Intel and AMD knew about it, consumers with the newest processors, bought before it was made public, could probably see a chance getting something for loss of performance?
  • blazorthon
    IDK if anyone will really get anything out of this, but it's pretty obvious that someone in Intel had to know at least about Meltdown many years ago. The security features are advertised as working, so they had to have been tested to make sure they actually prevent illegal operations.

    If Intel didn't actually test them, then you have criminal negligence and maybe false advertising. If Intel did test them and just didn't care that they didn't work right, then you have criminal negligence and definitely false advertising.

    The insider trading allegations have some pretty damning evidence too. Big execs selling off to minimum stock allowed to hold their job right before huge negative press releases? Come on, at least try to be discrete.