The Meltdown and Spectre vulnerabilities have left the world's computers exposed to perhaps the most pervasive security vulnerability of our time, but they have also left Intel and the other companies involved exposed to lawsuits.
Intel filed its annual report with the U.S. Securities and Exchange Commission today, and a section buried in the document explains that the company has come under fire from 30 consumer class action lawsuits and two securities class action lawsuits because of the vulnerabilities.
Intel explains that the 30 consumer class action plaintiffs "claim to have been harmed by Intel's actions and/or omissions in connection with the security vulnerabilities" and seek monetary damages and equitable relief.
The two securities class action plaintiffs are shareholders who "allege that Intel and certain officers violated securities laws by making statements about Intel's products and internal controls that were revealed to be false or misleading by the disclosure of the security vulnerabilities." These lawsuits likely center on the fact that Intel, and the rest of the industry, kept the vulnerabilities under a shroud of secrecy as they worked on patches. Intel also continued to release new products, such as Coffee Lake, that were vulnerable to Meltdown and Spectre without divulging that they were selling potentially compromised products, which has been a common complaint.
Given the procedural posture and the nature of these cases, including that the proceedings are in the early stages, that alleged damages have not been specified, that uncertainty exists as to the likelihood of a class or classes being certified or the ultimate size of any class or classes if certified, and that there are significant factual and legal issues to be resolved, we are unable to make a reasonable estimate of the potential loss or range of losses, if any, that might arise from these matters.
Intel believes the cases have no merit, of course, and says it intends to defend itself vigorously. The company also acknowledges there may be more lawsuits lodged against it and that it cannot predict the long-term financial impact to its business. This seems to foreshadow a change to the messaging--the company has repeatedly said that it does not expect any material impact to its businesses.
It seems that the legal action is also ensnaring Intel CEO Brian Krzanich. The document outlines two more legal actions:
In addition to these lawsuits, in January 2018, Joseph Tola, Joanne Bicknese, and Michael Kellogg each filed a shareholder derivative action in the Superior Court of the State of California in San Mateo County against certain members of our Board of Directors and certain officers. The complaints allege that the defendants breached their duties to Intel in connection with the disclosure of the security vulnerabilities and the failure to take action in relation to alleged insider trading. The complaints seek to recover damages from the defendants on behalf of Intel.
The statement does not specifically mention Krzanich, but we know he has come under fire for his trading activity before the disclosure, and a U.S. senator, among many others, has also called for an SEC investigation into his activities. Now it appears that certain board members are also under fire for inaction on investigating possible insider trading.
Unfortunately, the saga continues to unfold on the vulnerability front. Researchers recently uncovered new variants that are covered by the recent patches, but the discovery shows how easy it is to develop new variants based on the fundamental principles behind the current vulnerabilities. That means that new 'strains' may emerge soon that aren't mitigated by the current patches.
It's notable that these current lawsuits could see the company easily eclipsing its previous $475 million charge for the Pentium FDIV bug in 1994 and the $700 million charge for the Cougar Point chipset issues in 2011. Intel has also not disclosed which customers have instituted these legal actions, but any legal action from a Super Seven data center customer, such as Google, Microsoft, or Baidu, could spell tremendous trouble for the company.
Intel is also contending with the distributed nature of the lawsuits, which are taking place in several countries and jurisdictions. The company will undoubtedly be untangling the legal mess for years to come. AMD has also come under fire from two lawsuits that we are aware of, but it wouldn't be surprising to see the company issue a similar statement soon.