Lenovo can go ahead with the settlement of a class action suit in the United States that was started after the company was found to install Superfish adware on its laptops. An American judge granted initial approval of an $8.3 million settlement. Final approval needs to come from a federal judge.
When the settlement gets its final approval, $8.3 million will become available to the plaintiffs which found that Lenovo caused privacy and security flaws by pre-installing software from Superfish on its computers. From the settlement of $8.3 million, Superfish will pay $1 million to the plaintiffs.
Superfish was a type of adware that injected advertisements in websites. To make it possible to add advertisements to HTTPS encrypted websites, the adware used its own self-signed certificate authority. The certificate used the same private key on all laptops which allowed attackers to perform man-in-the-middle attacks on systems running Superfish. With the man-in-the-middle attacks it was possible to access and modify any information viewed and/or entered on websites without any browser warnings.
In total, Superfish was installed on 40 different types of Lenovo laptops. After the debacle, Lenovo released a removal-tool and the company promised to install less pre-installed software on its computers in the future. Victims were offered a free 6-month subscription to McAfee antivirus and the company made recovery media available without Superfish.
Lenovo already settled with the American Federal Trade Commission (FTC) for $3.5 million earlier this year. Part of this settlement is also that Lenovo can only install similar software on computers after the explicit consent of the users. The company also has to implement an extensive software security program for consumer software that is pre-installed on its laptops.