Lenovo has come under heavy fire for violating consumer protection laws in the US by pre-installing several laptops with an adware software which put the user at risk of getting his data hacked.
The adware-containing software called ‘Virtual Discovery’, developed by SuperFish was found on several Lenovo-branded laptops produced in late 2014 and early 2015.
The Federal Trade Commission (FTC) and a coalition of 32 US states filed complaints expressing their concerns about the third-party software and have now reached a settlement where Lenovo has been directed to pay a fine of $3.5 million.
The main issue with the software was that it opened up systems to a vulnerability, which could allow an attacker to conduct a man-in-the-middle attack on the system, gaining access to the network connection and enabling them to spy on the user’s internet activity even on a secured or encrypted connection.
“Going forward, Lenovo will better protect the personal identifying information of consumers, be more transparent about what software is pre-installed on the products it sells, and provide consumers clearer and more accessible ways to opt out of having such software activated – or present on the machine at all,” said Attorney General Christopher S. Porrino.
Lenovo had stopped shipping laptops preloaded with Virtual Discovery in early 2015 but a lot many laptops were already out in the retail stores or consumers and the FTC, as well as the states of US, weren’t happy about that fact.
“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen K. Ohlhausen. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”
Although an agreement has been reached for the settlement fee and the FTC and representatives of the state are convinced with the judgment, Lenovo still disagrees that they jeopardized user security and privacy.
“Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,” the company stated.
They also mentioned that soon after stopping the shipment of the allegedly infected laptops, they started working with anti-virus companies to curb the threat from the sold laptops with Visual Discovery software pre-installed.
“To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications. Subsequent to this incident,” Lenovo added.