Lenovo and Superfish: Dangerous Malware on LaptopsApril 3rd, 2015 By Christopher Dalbey
Lenovo carelessly placed thousands, if not millions, of its customers at substantial risk of eavesdropping and identity theft when Lenovo installed Superfish’s VisualDiscovery malware on more than 45 models of Lenovo laptops sold since September 1, 2014. This malware allows Superfish to spy on its users while they browse the Internet; Superfish then sends targeted advertisements to its users based on their browsing behavior. But the Superfish VisualDiscovery software also allows hackers to spy on users as well, potentially exposing those consumers to unprecedented data theft. Consumers expect much better from hardware manufacturers such as Lenovo, which are uniquely positioned to protect consumers and have the responsibility to do so. Lenovo knowingly allowed Superfish’s malware to nest deep within the Windows operating system — making it nearly impossible for antivirus software to find and stop it, let alone ordinary consumers. Lenovo and Superfish seemingly agreed to share the advertising revenue generated from the data that was illegally stolen from their customers’ laptops, showing that Lenovo and Superfish irresponsibly placed profits ahead of customers’ privacy and data security.
What Is Superfish?
The Superfish malware is especially pernicious because it defeats the primary security system —called the SSL/TLS protocol — that protects the privacy of communications made with secure “HTTPS” websites. This malware enables Superfish to intercept and decode all online communications made on the affected Lenovo laptops, including communications to secure websites such as online retailers, banks and health insurance companies. Moreover, the malware allows hackers to easily masquerade as genuine websites in order to steal customers’ communications with secure websites. For example, you could think you are logging in to Bank of America’s website but you are unknowingly giving your username and password to a hacker pretending to be Bank of America. A hacker could use the same trick to gain access to your private health records or to intercept your login credentials when you use PayPal, eBay, TurboTax, or any number of secure websites. With the information they can easily steal, hackers have endless opportunities to create havoc. They can apply for credit cards in your name, file tax returns in your name, sell your medical data, and ruin your credit. Adding insult to injury, Lenovo apparently knew that the Superfish malware was intentionally designed to spy on consumers and steal their private information, yet Lenovo decided to install the malware anyway.
Due to the Lenovo Superfish scandal, the U.S. Department of Homeland Security released an alert which urged Lenovo laptop owners to remove Superfish’s VisualDiscovery malware from their laptops. Lenovo has released an update that purportedly removes the malware, but security experts are not convinced that the update is completely effective. One report describes finding files with names such as “VisualDiscovery.exe” and “SuperfishCert.dll” after running Lenovo’s software update.
W&L Files Lawsuit Against Lenovo
Lenovo’s and Superfish’s egregious behavior is not just annoying; we believe it violates federal and state law. On March 3, 2015, Weitz & Luxenberg filed a class action lawsuit in federal court in Brooklyn, New York on behalf of two aggrieved consumers. On March 12, we followed with another lawsuit in federal court in San Jose, California. The plaintiffs in these lawsuits claim that Lenovo and Superfish violated the following federal computer security laws:
- Federal Wiretap Statute — prohibits intercepting or disclosing electronic communications without consent.
- Federal Computer Fraud and Abuse Act — prohibits trafficking in stolen passwords and obtaining information from a protected computer without authorization.
- Federal Stored Communications Act — prohibits taking stored information from a computer without authorization.
The plaintiffs allege also that Lenovo and Superfish violated their sales warranties and committed fraud by concealing what they knew about the dangerous Superfish malware. We demand compensation for all injured consumers, and that Lenovo and Superfish repair the damaged laptops at no expense to consumers. And we are not alone in taking action against Lenovo and Superfish. The Connecticut Attorney General recently opened an investigation into Lenovo’s and Superfish’s conduct.
The harmful effects of the Lenovo and Superfish scandal are still coming to light. This unfolding episode is a stark reminder of the power that hardware and software companies have over our most private information, and that we must be vigilant to ensure that they comply with the law and give the utmost priority to the security and confidentiality of our private data. If you own a Lenovo laptop and are worried that the security of your personal information may be at risk, please contact us today for a free consultation: