Can Lenovo Brand Recover from Superfish Malware Scandal?
Lenovo is releasing an automated tool that will eradicate Superfish adware from PCs that shipped with the malicious software pre-installed, and, Microsoft has updated Windows Defender to remove the malware. Nevertheless, the fallout continues. Lenovo CTO Peter Hortensius described the incident as a “significant mistake.”
Customers of Lenovo have been reporting a program installed on their PCs called Superfish, software that automatically displays advertisements in the name of helping consumers find products online. Superfish is designed to intercept all encrypted connections and leaves the door open for spies, like those from the U.S. National Security Agency, to hack into PCs through man-in-the-middle attacks, he said.
The company acknowledged the problem and said it has removed Superfish from its consumer PCs "until such time as Superfish is able to provide a software build that addresses these issues." Lenovo also requested Superfish auto-update a fix that addresses these issues. Superfish could not immediately be reached for comment.
Taking Lenovo to Task
We caught up with Jeff Kagan, an independent technology analyst, to get his thoughts on the fallout. He told us Lenovo has realized Superfish is causing significant damage to its brand. Indeed, the media and industry analysts are taking Lenovo to task over the malicious adware.
“This single Superfish issue can be enough to cause very significant damage to the trusted Lenovo brand and the solid relationship they have with customers,” Kagan said. “This is a serious problem.”
Although Lenovo customers have encountered problems with products over the years -- and the company has angered some Mac fans with its recent Yoga 3 launch that tricked people into believing they broke a MacBook in half -- Kagan said no past issue has damaged the brand relationship as swiftly as Superfish.
Can Lenovo Recover?
“It’s good that Lenovo is fixing this problem on their own rather than fighting it or ignoring it. It’s now up to the marketplace to weigh in with their opinions,” Kagan said. “They have a strong brand relationship with their customers. So recovery is not only possible but I would say is probable, if they can do everything right going forward.”
However, Kagan admitted the “strong brand” has taken some serious hits. He said Lenovo must forge ahead and emerge as better than ever if it wants to rebuild this breached trust.
“As an industry analyst, I will keep my eyes on them and hope they can move past this without any real, long-lasting problems,” Kagan concluded. “Let’s hope they learned an important lesson here. Don’t screw around with customer trust or you will lose it.”
Posted: 2015-02-24 @ 1:47pm PT
Also, notice this thing blew over during the Chinese New Year, when some substantial portion of execs would be busy heading back to their hometowns, especially the LBG division. If you fault Lenovo for not taking decisive action over this incident, don't forget the holidays. Hopefully they'll come up with a decisive response by Friday.
Posted: 2015-02-24 @ 1:42pm PT
Why shouldn't a hardware company bundle its kit with bloatware to increase profits? When I say that Lenovo is a hardware company, I mean that it acts and thinks like a hardware company; its software approach is a second-thought at best and no one ever buys Lenovo because they like Lenovo's utilities, interfaces, and bundled software.
Funny thing is, Lenovo bifurcated its internal operations into the Think Business Group and the Lenovo Business Group, with corporate and consumer focuses respectively. TBG has a CSO, obviously (imagine if Think and Lenovo's server business didn't have someone in charge of system security), but LBG has no CSO that can be Googled. Big mistake, huh?
Lenovo claims to be an adaptive / low-BS company. If they won't fire their CTO over this, fix the problem, have the TBG's CSO go over the processes associated with LBG's mishap, fire the rank-and-file manager who made the purchasing decision, make TBG's CSO LBG's acting CSO, then hire a CSO for LBG. Then literally pave over their failure by aggressively marketing a security package / service.
Posted: 2015-02-24 @ 8:14am PT
@Inst: Lenovo (or any other system integrator selling computers) cannot be "fundamentally a hardware company". Even companies that are more hardware than Lenovo, such as Foxconn, ASUS, MSI, Gigabyte, or further into the silicon Intel, Qualcomm, AMD, Nvidia, they all have to deal with software that is distributed with their hardware. If Lenovo was a truly hardware company, it would not bundle its products to an operating system marred with bloatware.
The Chief Security Officer at a system integrator such as Lenovo need only the ability to say yes or no to the software to be bundled. Leave security to dedicated security consultancy outfit, which she can consult when in need. Important: she must be given veto power against the Chief Marketing Officer who is the one trying to monetize the products by adding bloatware in the first place.
Posted: 2015-02-23 @ 11:22pm PT
Lenovo's problem is that it's fundamentally a hardware company, not a software company. It doesn't understand software and security threats that result from software, and consequently it's torpedoed its brand name with this incident.
Lenovo needs to establish a Chief Security Officer position on its board, develop a real capability to manage system security, and perhaps even monetize it by providing security consultancy services for its clients.
It has a huge opportunity to turn a crisis into a boon, but it's a matter of whether Lenovo wants to take this problem seriously or not.
Posted: 2015-02-23 @ 6:14pm PT
Lenovo may regain trust, but not with me. Fool me once....
Posted: 2015-02-23 @ 9:15am PT
To answer the question posed in the article title: Yes the brand can recover if 1. The CEO and the CTO resign. 2. Lenovo promises to never add bloatware of any kind moving forward.
Posted: 2015-02-22 @ 2:39pm PT
No doubt the Lenovo brand will recover, because (a) consumers have short memory; and (b) the practice of pre-installed bloatware has been common to the whole industry for more than a decade and consumers know too little to care.
Superfish is not unique. It is just slightly more intrusive than the panoply of toolbars that manufacturers are paid to pre-install on retail PCs, and it has created an unprecedented uproar. Note that even Microsoft did not know about it and following the uproar it updated Windows Defender.
Real and positive change will only come when consumer will demand bare-bone / no-software-installed PCs.
Dodge De Bullet:
Posted: 2015-02-22 @ 9:27am PT
I just returned my Lenovo tablet, due to problems with the headphone jack, wi-fi dropping, and the inability to use it outdoors. I already had no intention of buying anything else from them. Now I feel even better.
Posted: 2015-02-20 @ 9:33pm PT
Perhaps one should think twice before buying any x86 servers from them. This also could be a game changer for BYOD policy.
Surreptitiously undermining certs, and introducing MITM vulnerabilities to “enhance the shopping experience” undermines trust in a way that no amount of PR spin can fix.
They say that they have "secure products...including the Yoga brand" while simultaneously loading Superfish on those machines.
Quoc Pham, Santa Ana CA:
Posted: 2015-02-20 @ 3:43pm PT
What will they do with the customers like me who already paid extra for a brand new version of Windows 7 Pro months ago out of frustration? I had no other options then.