Lenovo's settlement with FTC over Superfish adware reached $7.3M

Lenovo agrees to pay $7.3 million for compromising users' security by pre-installing price comparison software on 28 models of their laptops

Superfish adware, pre-installed on Lenovo laptops back in 2014-2015, cost the company $7.3 million

The Beijing-based multinational tech company Lenovo settled^[1] for the payment of $7.3 million in order to compensate for compromising privacy and online security of its customers back in 2014 – 2015 when they released 28 different laptop models that included a pre-installed software called Superfish^[2] Visual Discovery.

Superfish should have worked as a comparison search engine that helps users to find best deals online. While it does not comes a surprise that laptops often come with pre-installed bundled software, this case is different as the adware was able to intercept the secure HTTPS connections and render them vulnerable to cyber attacks, monitor all traffic, and deteriorate PCs performance by displaying intrusive advertisement from third-party websites.

Although Lenovo initially denied all the allegations, the Federal Trade Commission (FTC) demanded Lenovo pay up for actions. Superfish and Lenovo were changed with the following:^[1]

1. the Computer Fraud and Abuse Act
2. California’s Unfair Competition Law
3. California’s Consumer Legal Remedies Act
4. California’s Computer Crime Law
5. California’s Invasion of Privacy Act
6. Trespass to chattels under California law
7. New York’s Case
8. Trespass to chattels under New York law.

Settlement details

The $7.3 million was agreed to be paid in order to settle 27 class action lawsuits, which was unified into a single trial in 2015. Superfish already funded another $1 million, so the total settlement fund now reached 8.3 million

In total, 800,000 notebooks were affected by the adware, including the following models: E-Series, the Edge Series, the Flex-Series, the G-Series, the Miix-Series, the S-Series, the U-Series, the Y-Series, the Yoga-Series, and the Z-Series.

500,000 users, who registered their Lenovo purchase or bought the devices from such retailers like BestBuy or Amazon between the second half of 2014 and 2015, will be contacted directly and the funds will be distributed as follows:^[3]

The claims process will allow each participating class member to choose between (1) completing a short online claim form to recover an estimated $40 cash payment for every purchased computer, or (2) submitting receipts or other documentation to recover sums actually expended as a result of VisualDiscovery software being on the computer, up to $750. The proposed claim form and plan of allocation are Exhibits 2 and 3 to the Lenovo Settlement Agreement.

The other 300,000 users will be contacted by the company with the help of social networks, such as Facebook or Twitter, as well as via online advertising.

The incident serves as a warning to other computer manufacturers

Last year, in a separate deal, Lenovo already agreed to pay out $3.5 million settlement with the US Financial Trade Commission and 32 state attorneys general. This settlement also included the agreement that the company will not install potentially malicious software that can compromise customers' online safety, inform users of any software that comes pre-installed and install a security software application for the next 20 years.^[4]

The settlement did not cost cheap to Lenovo, and it should serve as a lesson to other computer manufacturers. Bundled software^[5] became such an often occurrence that manufacturers stopped paying attention to potential security flaws and concentrated on monetary gain instead.