On Friday Intel filed its annual report in which it disclosed that there are a total of 32 lawsuits filed against the company, in connection with the Spectre and Meltdown vulnerabilities. Thirty of the lawsuits are class action claims against Intel by its customers, both in the USA and abroad. The two other suits were filed by Intel shareholders concerning the violation of financial securities laws.
As background to the above mentioned lawsuits, it is important to remember the following things:
- Intel admits that in June 2017, a Google research team first notified it about various security vulnerabilities (now commonly referred to as 'Spectre' and 'Meltdown').
- On 3rd January 2018, information on the security vulnerabilities was publicly reported, before software and firmware updates to address the vulnerabilities were made widely available.
- Intel Chief Executive Brian Krzanich sold 889,879 shares in the company on 29th Nov as per a trading plan adopted on 30th Oct, making roughly $39 million from the sale, well before the details of the flaw were made public.
In general the Intel class-action filing customers "claim to have been harmed by Intel's actions and/or omissions in connection with the security vulnerabilities," says Intel in its report (PDF page 124 of 201). Negative effects of the Spectre and Meltdown flaws are, among others; systems that are vulnerable to hacking unless patched (and patches might not become available), various performance penalties on systems that are patched, the inconvenience and costs of patching / updating said systems.
One set of securities class action plaintiffs alleges that Intel made false statements about products and internal controls after it was aware of the vulnerabilities. Another set of plaintiffs says that certain Intel board members and officers "breached their duties to Intel in connection with the disclosure of the security vulnerabilities and the failure to take action in relation to alleged insider trading". Both of these complainants are looking for monetary damages.
Going forward from this situation Intel has already promised to do better with regard to such vulnerabilities with its Security First Pledge. Its first Meltdown and Spectre-proof CPUs will launch later this year. Last but not least, Intel recently widened its bug bounty scheme to include the sort of side-channel exploits that delivered Spectre and Meltdown.