Security Experts:

Lenovo Pays $7.3 Million to Settle Superfish Adware Lawsuit

Lenovo has agreed to pay $7.3 million to settle a consumer class action lawsuit related to the Superfish adware scandal from 2015.

Back in February 2015, experts revealed that a browser add-on named WindowShopper (VisualDiscovery) from Superfish had been injecting ads into web pages using a local proxy and a self-signed root certificate.

The problematic app, pre-installed on hundreds of thousands of Lenovo laptops, launched an MitM attack on users’ browsing sessions, allowing it to intercept sensitive information. Experts also raised concerns that by replacing legitimate certificates with its own, the software exposed people to malicious websites that used fake certificates.

Superfish previously agreed to pay $1 million in response to a class action lawsuit and now Lenovo has agreed to pay $7.3 million – the $8.7 million has been described as a “settlement fund” from which members of the class action can make claims.

Members can choose between receiving an estimated cash payment of $40 for every Lenovo device they have purchased, or submit receipts and other documentation to recover the money they spent dealing with the Superfish adware, up to $750.

The $8.3 million obtained by plaintiffs represents roughly a quarter of the $35 million they estimated to be the best case recovery following a trial.

Last year, Lenovo agreed to pay $3.5 million to settle Superfish-related charges with the U.S. Federal Trade Commission (FTC) and Attorneys General in 32 states. As part of that settlement, Lenovo is also required to obtain affirmative consent before activating this type of software, and it must maintain a comprehensive security program for preinstalled applications for a period of 20 years.

Related: Uber Agrees to $148M Settlement With States Over Data Breach

Related: Altaba Settles Yahoo Breach Lawsuits for $47 Million

Related: Yahoo to Pay $50M, Other Costs for Massive Security Breach

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.