Lenovo Sued for Superfish Adware Security Vulnerability
After all the national attention Lenovo received for the whole Superfish debacle, I think we all knew that Lenovo wasn’t going to get away with without a good class action lawsuit, and according to a recent filing in a US District Court in Southern California, one is already in the works.
Filed by Jessica Bennett individually and on behalf all all the poor souls infected with the Superfish adware, the lawsuit alleges that by installing the Superfish adware, both Lenovo and Superfish violated a series of state and federal laws including California’s Invasion of Privacy Act, Federal Wiretap Act, Trespass to Personal Property/Chattels and California’s Unfair Competition Laws.
In the lawsuit, Bennett claims that she purchased a Lenovo Yoga 2 for her business as a blogger in late 2014. Shortly after her purchase, Bennett noticed that she was getting popups and advertisements involving “scantily clad women” on her client’s websites. Fearing that her clients’ websites were hacked, she contacted her clients, but soon realized that it may have been her computer that was infected with adware as she was getting the same popups and advertisements on other reputable sites. Bennett then researched the issue online where she found that a number of other Lenovo laptop owners were reporting the same issues and traced it to the Superfish software that was causing it.
As we recently reported, Lenovo notebooks sold between September 2014 and January 2015 shipped with the Superfish “shopping aid” software pre-installed. Superfish is designed to provide shopping suggestions based on a user’s browsing history by intercepting communications between a user’s computer and the internet. By doing so, Superfish was effectively able to monitor user activity and intercept communications without a user’s permission. Superfish was also vulnerable to third party hacking as well, which raised a multitude of security concerns. Although Lenovo downplayed the possible negative effects of Superfish at first, they quickly reversed their position after massive backlash from the cyber security community. Lenovo has now disabled Superfish on their side, stopped pre-loading the software on all future systems, and offers uninstall instructions on how to remove the adware. They’re also working with various anti-virus software companies such as Microsoft to detect and remove Superfish. However, those who aren’t aware of Superfish and don’t remove the software along with its SSL certificate continue to remain vulnerable to attack.
Currently, the lawsuit is pending court approval to proceed. The plaintiffs are requesting Lenovo and Superfish pay statutory damages and give up all revenue gained through the Superfish adware.
As I said before, Superfish is one the biggest screw ups by a major computer vendor and Lenovo knows they’re going to pay big time for this one. The only question is how much and if it’s enough for them to learn from their mistakes.